Forum Discussion
maple85
May 20, 2020Copper Contributor
Outlook for iOS Account blocked after password change
Hello @all! Hope someone can help me solve this wired issue. We have about 80 Intune Enrolled Devices. Just iOS. My Users now gets pushed the Outlook App by Intune since we changed to this a...
Moe_Kinani
May 21, 2020Bronze Contributor
First thing came to my mind, do you have Conditional Access Policy that conflicts with your setup? Do you see any 'Device Access Rules' under Mobile section in Exchange Online?
Last resort, it could be App config policy, do you have legacy authentication disabled in your tenant? I would check the sign in log from Azure AD-> Add Filter-> Client App-> Check all the boxed to see if somehow these Outlook apps are trying to use something other than Modern Auth. This log should shed some light about the issue.
Good Luck!
Moe
Thanks!
Moe
- maple85May 21, 2020Copper ContributorHi,
I have checked your Suggestion.
On Exchange Online we do not have any device Access rules.
When I check the sign-in Logs I See some tries from „China, Chisinau Bangkok,...) Where someone tried to log in to his Account with imap4 as Client App.
Failure Reason: Account is locked because user tried to sign in too many times with an incorrect user ID or password.
Last try was 2nd May.
And yes we have two conditional Access policies who Block Legacy Auth and EAS.
Strange thing is That i did not See the sign in try in the azure logs.
User told me:
1) Open Outlook
2) Enter his password
3) Outlook wants Open Authenticator App
4) User Click on his Account in MS Authenticator App
5) Error Message
Thanks!
Philip- Moe_KinaniMay 22, 2020Bronze ContributorHi Philip,
I think the issue with CA policy, could you please create new/existing user and exclude from the CA policy? Let it expire (create dump expiration policy) and see how it goes.
I think you may need to block legacy authentication using Security Defaults from Azure AD, because the default ones in CA will be deprecated soon.
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults
Moe - Thijs LecomteMay 23, 2020Bronze ContributorI think it might be a coincidence that your users are getting this prompt as you have spotted malicious sign-ins.
If a lot of failed sign-ins happen in a short timespan, the account can get locked as specified in https://portal.azure.com/#blade/Microsoft_AAD_IAM/PasswordProtectionBlade
I would recommend also disabling legacy authentication using Authentication Policies in Exchange Online. Because this would make sure an account isn't locked due to failed sign-ins while using legacy authentication- maple85May 26, 2020Copper ContributorThank you for that tip.
But last malicious sign-ins were on 2th May but it is still not working.
If I create this policy on Exchange, what I think is a good idea, I think I will get troubles with some old services what use smtp...?
Thanks, Philip