Hi, I am very new to MFA with O365. We just implemented MFA for a few users, including myself. I enabled MFA a few days ago, and then yesterday proceeded to change my password. Since my phone does not accept modern authentication, I had to use an App Password. When I reset my O365 password, my phone was never prompted for anything new. This is great, EXCEPT if I have an employee who leaves the company. In the past, I have just reset their password, which locks them out of the email system on their phone. My experience recently shows that this is not the case, unless I am missing something? Any help is appreciated.

For a cloud only account, find it in the admin portal and change the Sign-In Allowed to blocked. This will prevent the user from logging in (including app passwords) which still maintaining their mailbox, OneDrive etc. Give the manager permissions to the mailbox to access it with their logon details.

When someone leaves you really should disable their account so signin is blocked, why leave their account open?

App passwords are EVIL, they should not be used. Period. Every device platform now has at least one mail app that supports MFA, switch to it and disable app passwords completely. They are a nasty workaround that should be a thing of the past now.

How do I block their sign in? We usually leave the account open because managers like to get into the email inboxes and take a look, as well as we have a forward in place for the first few weeks. I have typically just changed the user's password, which would kick them out of their devices, but not so with MFA. Cany help on how to block sign in would be great.

Vasil, I do not like App Passwords either, BUT Outlook 2016 would NOT do modern authentication, the only way I can get it to work is to use an App Password. These accounts were set up in Outlook already, and then we enabled MFA, so maybe I have to set up a new profile? IDK, but several people with Outlook 2016 (all updated), could not get modern authentication to work, the only thing it would take was an App Password. I also have a GS7 and the default mail app would not do modern authentication either, I had to use an App Password. Any suggestions?

Locking out a users with MFA enabled | Microsoft Community Hub

VasilMichev
MVP
Jan 27, 2018
App passwords are EVIL, they should not be used. Period. Every device platform now has at least one mail app that supports MFA, switch to it and disable app passwords completely. They are a nasty workaround that should be a thing of the past now.
- Tyler Miller
  Brass Contributor
  Jan 29, 2018
  Vasil,
  
  I do not like App Passwords either, BUT Outlook 2016 would NOT do modern authentication, the only way I can get it to work is to use an App Password. These accounts were set up in Outlook already, and then we enabled MFA, so maybe I have to set up a new profile? IDK, but several people with Outlook 2016 (all updated), could not get modern authentication to work, the only thing it would take was an App Password. I also have a GS7 and the default mail app would not do modern authentication either, I had to use an App Password. Any suggestions?
  - VasilMichev
    MVP
    Jan 29, 2018
    Outlook 2016 definitely support Modern auth, make sure it's not disabled on the client side though. So does the Outlook mobile app, which is available on any platform. Stick to it.
Steven Collier
MVP
Jan 27, 2018
When someone leaves you really should disable their account so signin is blocked, why leave their account open?
- Tyler Miller
  Brass Contributor
  Jan 29, 2018
  How do I block their sign in? We usually leave the account open because managers like to get into the email inboxes and take a look, as well as we have a forward in place for the first few weeks. I have typically just changed the user's password, which would kick them out of their devices, but not so with MFA. Cany help on how to block sign in would be great.
  - Steven Collier
    MVP
    Jan 29, 2018
    What type of accounts are these? Are they AD accounts which are synced using AzureAD Connect or cloud only accounts?

Forum Discussion

Locking out a users with MFA enabled

Share

Resources