The IAM Event - Account Locked event occurs when a user (or more commonly a hacker or bot) attempts to log in to the account repeatedly in rapid succession. Microsoft then locks the account. An important thing about this kind of lock is that it does not show in the admin portal, the lock is based on the account ID and the IP location it is being attempted from. In most cases the account user is unaware of this event as it does not affect their active session. The account is automatically unlocked after 15 minutes. If the hacker or bot tries again and re-locks the account SaaS Alerts tracks that activity. If the Account is locked by this repeated action more than 3 times within 12 hours, SaaS Alerts creates an IAM Event - Multiple Account Locks Alert.
Contact the Customer or User and make them aware of this event. Confirm if the User has been able to gain access to their SaaS Application. For some applications, this action only occurs when triggered by an administrator.
To learn more about Microsoft account lockouts please follow the link below: