Forum Discussion

maple85's avatar
maple85
Copper Contributor
May 20, 2020

Outlook for iOS Account blocked after password change

Hello @all!

 

Hope someone can help me solve this wired issue.

 

We have about 80 Intune Enrolled Devices. Just iOS.

My Users now gets pushed the Outlook App by Intune since we changed to this app.

Before they downloaded it from AppStore or Company Portal.

 

Outlook connects to Exchange Online.

 

We have a Outlook App Configuration Policy where we set under E-Mail Account configuration:

Configure email account settings
Yes
 
Authentication type
ModernAuth
 
Username attribute from AAD
User Principal Name
 
Email address attribute from AAD
Primary SMTP Address
 
Allow only work or school accounts
Disabled
 
Here is my problem:
Users have to change their Domain Password every 6 Month.
After this password change some Users get an Error message when they start Outlook what says: 
Account Blocked - Your Account is Blocked. Please contact your System Administrator to unblock your account. (Attachment)
 
But the Account isn´t locked. Or I don´t know where to look?
At some users it worked again after two days. But I don´t know why this happened and how to solve it?
 
Now I have a User were it isn´t. I already retired and re-enrolled his device but with no luck.
 
Can someone please help me to figure this out why this happened? 
 
I also checked on Exchange Online AdminCenter.
in "mobile device access" we do not have any policies
in "mobile device mailbox policies" we just have the default policy.
 
When I look in recipients mailbox under mailbox features Mobile Devices I see "Access granted"?
 
I hope it is clear what my problem is.
And sorry for the long text...
 
Thanks!
 

  

 
 
Intune
Mobile Application Management (MAM)
mobile device management (mdm)

7 Replies

Sort By
  • Moe_Kinani's avatar
    Moe_Kinani
    Bronze Contributor
    May 21, 2020

    maple85 

     

    First thing came to my mind, do you have Conditional Access Policy that conflicts with your setup? Do you see any 'Device Access Rules' under Mobile section in Exchange Online? 

     

    Last resort, it could be App config policy, do you have legacy authentication disabled in your tenant? I would check the sign in log from Azure AD-> Add Filter-> Client App-> Check all the boxed to see if somehow these Outlook apps are trying to use something other than Modern Auth. This log should shed some light about the issue.

     

    Good Luck!

    Moe

     

    Thanks!

    Moe

    • maple85's avatar
      maple85
      Copper Contributor
      May 21, 2020
      Hi,
      I have checked your Suggestion.
      On Exchange Online we do not have any device Access rules.

      When I check the sign-in Logs I See some tries from „China, Chisinau Bangkok,...) Where someone tried to log in to his Account with imap4 as Client App.
      Failure Reason: Account is locked because user tried to sign in too many times with an incorrect user ID or password.
      Last try was 2nd May.

      And yes we have two conditional Access policies who Block Legacy Auth and EAS.


      Strange thing is That i did not See the sign in try in the azure logs.
      User told me:
      1) Open Outlook
      2) Enter his password
      3) Outlook wants Open Authenticator App
      4) User Click on his Account in MS Authenticator App
      5) Error Message

      Thanks!
      Philip
      • Thijs Lecomte's avatar
        Thijs Lecomte
        Bronze Contributor
        May 23, 2020
        I think it might be a coincidence that your users are getting this prompt as you have spotted malicious sign-ins.

        If a lot of failed sign-ins happen in a short timespan, the account can get locked as specified in https://portal.azure.com/#blade/Microsoft_AAD_IAM/PasswordProtectionBlade

        I would recommend also disabling legacy authentication using Authentication Policies in Exchange Online. Because this would make sure an account isn't locked due to failed sign-ins while using legacy authentication

Resources