'%20cx='32'%20cy='32'%20r='32'%20/%3E%3Ctext%20x='50%25'%20y='55%25'%20dominant-baseline='middle'%20text-anchor='middle'%20fill='%23FFF'%20%3EAM%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
'%20cx='32'%20cy='32'%20r='32'%20/%3E%3Ctext%20x='50%25'%20y='55%25'%20dominant-baseline='middle'%20text-anchor='middle'%20fill='%23FFF'%20%3ER%3C/text%3E%3C/svg%3E)
The error AADSTS5000225: This tenant has been blocked due to inactivity means the Microsoft Entra tenant backing the “Default Directory” is in an inactive/blocked state. In this state, sign-in and Azure resources (including those needed to create PATs) are not available.
To authenticate again successfully, the options are:
- Check whether the tenant can still be reactivated
Tenants blocked due to inactivity can only be reactivated within 20 days of entering the inactive state. After 20 days, the tenant is permanently deleted and cannot be recovered. From the documented behavior:- When a tenant is blocked due to inactivity, sign-in returns
AADSTS5000225. - Administrators can request reactivation within 20 days; after that, the tenant is deleted and not recoverable.
- The tenant administrator must contact Microsoft support using the global support phone numbers to request reactivation.
- Only one assistance request should be open at a time; do not submit multiple tickets for the same issue.
- When a tenant is blocked due to inactivity, sign-in returns
- Try accessing the tenant directly by tenant ID or name
If the tenant is still within the recoverable window and has been reactivated (or is not fully deleted), it may be possible to reach it directly:- Sign in to Azure portal using a tenant-specific endpoint, for example:
https://portal.azure.com/<TenantId>orhttps://portal.azure.com/<yourTenantName>.onmicrosoft.com - If access succeeds, Azure DevOps and PAT creation should work again for that tenant.
- Sign in to Azure portal using a tenant-specific endpoint, for example:
- If the tenant is past the 20‑day window (permanently deleted)
In this case, the “Default Directory” tenant cannot be recovered:- It is necessary to work with a different active tenant to create PATs and publish the VS Code extension.
- Sign in with another tenant from the account dropdown (as the error suggests) or create a new tenant in Microsoft Entra ID and then use that tenant in Azure DevOps.
- Create or switch to a new tenant if needed
If the original tenant cannot be restored:- Sign in to the Entra admin portal (
entra.microsoft.com) with the Microsoft account. - Go to Entra ID → Overview → Manage tenants and create a new tenant.
- Note the new tenant’s domain name (for example,
newtenant.onmicrosoft.com). - Then sign in to Azure portal or Azure DevOps using the tenant-specific endpoint for this new tenant and create a PAT there.
- Sign in to the Entra admin portal (
In summary, successful re-authentication with the original “Default Directory” is only possible if it has been blocked for less than 20 days and the tenant admin gets it reactivated by Microsoft. Otherwise, a different or new tenant must be used to sign in and create the PAT needed for publishing the VS Code extension.
References:
- Tenant inaccessible due to inactivity
- 7 Day Old Azure Account: AADSTS5000225: This tenant has been blocked due to inactivity. - Microsoft Q&A
- Error message: interaction_required: AADSTS5000225: This tenant has been blocked due to inactivity - Microsoft Q&A
- Tenant inaccessible due to inactivity - Microsoft Q&A