Forum Discussion
Outlook for iOS Account blocked after password change
Hello @all! Hope someone can help me solve this wired issue. We have about 80 Intune Enrolled Devices. Just iOS. My Users now gets pushed the Outlook App by Intune since we changed to this a...
Hi,
I have checked your Suggestion.
On Exchange Online we do not have any device Access rules.
When I check the sign-in Logs I See some tries from „China, Chisinau Bangkok,...) Where someone tried to log in to his Account with imap4 as Client App.
Failure Reason: Account is locked because user tried to sign in too many times with an incorrect user ID or password.
Last try was 2nd May.
And yes we have two conditional Access policies who Block Legacy Auth and EAS.
Strange thing is That i did not See the sign in try in the azure logs.
User told me:
1) Open Outlook
2) Enter his password
3) Outlook wants Open Authenticator App
4) User Click on his Account in MS Authenticator App
5) Error Message
Thanks!
Philip
I have checked your Suggestion.
On Exchange Online we do not have any device Access rules.
When I check the sign-in Logs I See some tries from „China, Chisinau Bangkok,...) Where someone tried to log in to his Account with imap4 as Client App.
Failure Reason: Account is locked because user tried to sign in too many times with an incorrect user ID or password.
Last try was 2nd May.
And yes we have two conditional Access policies who Block Legacy Auth and EAS.
Strange thing is That i did not See the sign in try in the azure logs.
User told me:
1) Open Outlook
2) Enter his password
3) Outlook wants Open Authenticator App
4) User Click on his Account in MS Authenticator App
5) Error Message
Thanks!
Philip
I think it might be a coincidence that your users are getting this prompt as you have spotted malicious sign-ins.
If a lot of failed sign-ins happen in a short timespan, the account can get locked as specified in https://portal.azure.com/#blade/Microsoft_AAD_IAM/PasswordProtectionBlade
I would recommend also disabling legacy authentication using Authentication Policies in Exchange Online. Because this would make sure an account isn't locked due to failed sign-ins while using legacy authentication
If a lot of failed sign-ins happen in a short timespan, the account can get locked as specified in https://portal.azure.com/#blade/Microsoft_AAD_IAM/PasswordProtectionBlade
I would recommend also disabling legacy authentication using Authentication Policies in Exchange Online. Because this would make sure an account isn't locked due to failed sign-ins while using legacy authentication
- Thank you for that tip.
But last malicious sign-ins were on 2th May but it is still not working.
If I create this policy on Exchange, what I think is a good idea, I think I will get troubles with some old services what use smtp...?
Thanks, PhilipHi All,
I found a solution.
The Problem was that the iPhone saves Accountinformation in Key-Chain.
I downloaded the OneDrive App.
Open Settings -> OneDrive -> Clear Account Data
Then opened the OneDrive App to delete data.
in Azure AD I clicked on Revoke MFA session and reinstalled Outlook.
After this steps it worked.
This article pointed me to the right direction:
A customer of mine had a similar issue (which is why I came across this page). After a password change, a user's account got repeatedly locked out when synchronizing Outlook on an iOS device. The sync started but stopped after some time with the message that the account is locked out. Factory-resetting the iOS device or replacing it didn't help. 2 out of 60 users affected. The feedback I got was that the issue was finally fixed when replacing German special character (ä,ö,ü) in the passwords. I can't give any more background but describe the issue to prevent others from getting crazy.
