Unable to log into Macbook after resetting Active Directory password

Thanks for the speedy reply!

The user is offsite. I was able to get him logged in just now, but it seems we're still running into issues with Keychain and iCloud.

To get him logged in, I asked him to first click on his portrait icon at the login prompt, then choose the option to log in as another user. Luckily, we had a local account that was previously created on this Macbook and I remembered the username and password. After that, he confirmed the Macbook was connected to his home WiFi, logged out, and then successfully logged back into his profile with his new password. Not sure why that worked, but I assume it was the communication between his Macbook and our MDM and/or Active Directory. After he logged in, he received an error about a keychain password but didn't grab a screenshot. Additionally, iCloud seems to have prompted him for his password and when he entered it in, he received a message stating his iCloud account would be locked for about 3 hours. He's now worried about locking his screen at all for fear of being unable to log back in again which is understandable.

I was reading here that we may be able to resolve the issue by resetting his Keychain, but that there may be risks involved and to not do it unless instructed to do so by Apple Support. I'm still looking into it, but appreciate your help so far. Have any further advice here?

Few updates:

• We use Apple Business Manager to automate parts of the MDM enrollment, but officially Workspace ONE UEM (formerly AirWatch) is our MDM.
• He sent me a screenshot just now of his Users & Groups settings and it appears that his user account is still listed as a Mobile account.
• He also tried logging out, and when he tried logging back in, he received a message stating that his account would be locked for 3 hours. We used the same workaround as before where we logged him into the local account, logged out, and then logged back in with his domain account successfully. No idea why that works.
• He says he doesn't use Keychain but he does use iCloud. He initially received a pop-up or something from iCloud stating the next failed login would be 3 hours. I'm wondering if this is our culprit?

Oh nice, thanks you too! I'm not 100% familiar with our setup yet, but I do know the company wants to move away from AirWatch soon and I'm assuming it's due to the switch from VMware to Broadcom. That'll be a fun project!

To answer your questions:

• Checked ADAuditPlus and confirmed his domain account hasn't been locked in at least 30 days.
• Yeah maybe but we did receive confirmation that it's his iCloud account that's being locked. Unless I'm simply selecting the wrong target within this tool, it looks like this only showed us lockouts for his domain account across various domain controllers.
• I asked him to try revoking sessions via iCloud.com and office.com when he has a moment so we'll see

I'm sure this is a syncing problem somewhere though. He's able to log into pretty much anything else with his domain username and password (new password). I feel like this has to be something cached locally, or hidden within his iCloud account. Do you happen to know if keychain automatically stores passwords saved to iCloud?