It’s important to have in mind that there’s more than one concept around a user being blocked. In particular, a user can be blocked administratively in which case they can also only be unblocked by the opposite administrative action which would be a tenant admin unblocking the user through the dashboard or through a client application which has permissions to call the Management API and that application performing a user update that unblocks the user.
In addition to that, a user can also be blocked from completing a login because of attack protection related features. In particular, the brute force protection (Brute-Force Protection) can block a user from completing a login if the user in question submits incorrect credentials above a configured threshold.
In the case of a brute force protection block the end-user can indeed unblock himself either by completing a password reset or by accessing the unblock URL that can be sent to the user’s email inbox when the blocking occurs.