Office 365 ProPlus: frequent "deactivations" & invalid MS-generated passwords

%3CLINGO-SUB%20id%3D%22lingo-sub-1123258%22%20slang%3D%22en-US%22%3EOffice%20365%20ProPlus%3A%20frequent%20%22deactivations%22%20%26amp%3B%20invalid%20MS-generated%20passwords%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1123258%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EOur%20customer%20subscribes%20to%20the%20Office%20365%20ProPlus%20app-only%20plan.%26nbsp%3B%20We%20deployed%20ProPlus%20in%20shared%20computer%20activation%20mode%2C%20because%20staff%20sometimes%20roam%20around%20on%20different%20computers%2C%20and%20we%20use%20a%20dedicated%20share%20on%20the%20customer%E2%80%99s%20file%20server%20to%20host%20the%20licensing%20tokens%20to%20make%20this%20possible.%26nbsp%3B%20Another%20pertinent%20detail%3A%26nbsp%3B%20when%20we%20provision%20the%20staff%20accounts%20for%20365%2C%20we%20use%20Microsoft%E2%80%99s%20%E2%80%9Cgenerate%20a%20random%20password%E2%80%9D%20function%20to%20generate%20one%20for%20each%20account.%26nbsp%3B%20We%20don%E2%80%99t%20pick%20specific%20passwords%20ourselves%20because%20users%20don%E2%80%99t%20need%20to%20sign%20in%20very%20often%2C%20since%20the%20only%20function%20provided%20by%20365%20is%20the%20desktop%20Office%20suite%2C%20and%20the%20license%20token%20on%20the%20file%20server%20is%20supposed%20to%20%E2%80%9Cfollow%20them%20around%E2%80%9D%20to%20other%20PCs.%26nbsp%3B%20In%20fact%2C%20we%20don't%20even%20issue%20the%20365%20passwords%20to%20the%20users%2C%20so%20they%20can't%20go%20around%20to%20home%20PCs%20and%20install%20Office%20software.%26nbsp%3B%20I%20mention%20this%20information%20about%20the%20passwords%20for%20reasons%20that%E2%80%99ll%20become%20clearer%20in%20a%20moment.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ELately%20we%E2%80%99ve%20been%20seeing%20random%20instances%20of%20Office%20suites%20on%20staff%20PCs%20losing%20activation.%26nbsp%3B%20There%E2%80%99s%20a%20message%20to%20the%20effect%20that%20Office%20is%20having%20trouble%20signing%20in%2C%20and%20that%20the%20suite%E2%80%99s%20features%20will%20be%20deactivated%20by%20a%20certain%20date%20if%20signin%20isn%E2%80%99t%20fixed.%26nbsp%3B%20What%E2%80%99s%20odd%E2%80%94and%20it%E2%80%99s%20why%20I%20mentioned%20the%20passwords%E2%80%94is%20that%20when%20IT%20goes%20to%20sign%20the%20user%20back%20in%2C%20invariably%20the%20user%E2%80%99s%20Microsoft-generated%20password%20doesn%E2%80%99t%20work%20anymore%20(says%20the%20password%20is%20bad%2Fincorrect)%2C%20and%20must%20be%20reset.%26nbsp%3B%20Once%20the%20password%20is%20reset%2C%20sometimes%20it%E2%80%99s%20necessary%20to%20delete%20the%20licensing%20token%20for%20that%20user%2C%20and%20afterwards%20signin%20succeeds%20and%20the%20Office%20suite%20activates%20again%20normally.%26nbsp%3B%20In%20many%20cases%2C%20though%2C%20leaving%20the%20existing%20license%20token%20in%20place%20works%20just%20fine.%26nbsp%3B%20Users%20can%E2%80%99t%20reset%20their%20own%20passwords%2C%20so%20this%20isn%E2%80%99t%20something%20the%20staff%20is%20doing%2C%20and%20I%20also%20followed%20Microsoft%E2%80%99s%20admin%20center%20recommendation%20to%20disable%20password%20expiration%2C%20so%20they%20shouldn%E2%80%99t%20be%20expiring%20either.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20more%20wrinkle%3A%26nbsp%3B%20we%20recently%20patched%20and%20rebooted%20the%20file%20server%20that%20the%20tokens%20reside%20on%2C%20and%20that%20caused%20some%20(but%20not%20all!)%20users%20to%20lose%20their%20Office%20activations.%26nbsp%3B%20The%20server%20was%20inaccessible%20for%20less%20than%205%20minutes%20during%20the%20reboot%3B%20several%20clients%20deactivated%2C%20even%20when%20Office%20was%20quit%2Frelaunched%20or%20the%20whole%20PC%20was%20restarted.%26nbsp%3B%20However%2C%20we've%20also%20seen%20ProPlus%20clients%20become%20deactivated%20days%20after%20this%20reboot%20occurred%20(they%20worked%20after%20it%20occurred%2C%20then%20became%20deactivated%20days%20later).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20all%20of%20this%20in%20mind%2C%20I%20have%20the%20following%20questions%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%26nbsp%3B%20The%20incident%20with%20the%20file%20server%20restart%20aside%2C%20why%20do%20the%20deactivations%20happen%20spontaneously%2Fat%20random%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2)%26nbsp%3B%20With%20regard%20to%20the%20file%20server%20incident%3A%26nbsp%3B%20how%20do%20we%20mitigate%20this%20going%20forward%3F%26nbsp%3B%20Sure%20the%20desktop%20apps%20should%20be%20able%20to%20recover%20from%20a%20momentary%20loss%20of%20network%20connectivity%20without%20immediately%20deactivating%20and%20becoming%20useless%3F%26nbsp%3B%20I'd%20understand%20if%20Office%20apps%20entered%20reduced%20functionality%20mode%20when%20an%20interruption%20is%20detected%2C%20but%20why%20do%20they%20stay%20that%20way%20when%20the%20server%20comes%20back%20up%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3)%26nbsp%3B%20Why%20are%20the%20temporary%20passwords%20becoming%20invalid%3F%26nbsp%3B%20That's%20crucial%20here--we%20have%20to%20reset%20the%20user's%20password%20every%20time%20activation%20is%20lost%2C%20which%20requires%20administrative%20intervention%20by%20IT.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20looks%20like%20we%20might%20be%20dealing%20with%20two%20separate%20issues%2C%20but%20I'm%20not%20sure.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20help!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1123258%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOn%20Premise%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EProPlus%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Occasional Visitor

Our customer subscribes to the Office 365 ProPlus app-only plan.  We deployed ProPlus in shared computer activation mode, because staff sometimes roam around on different computers, and we use a dedicated share on the customer’s file server to host the licensing tokens to make this possible.  Another pertinent detail:  when we provision the staff accounts for 365, we use Microsoft’s “generate a random password” function to generate one for each account.  We don’t pick specific passwords ourselves because users don’t need to sign in very often, since the only function provided by 365 is the desktop Office suite, and the license token on the file server is supposed to “follow them around” to other PCs.  In fact, we don't even issue the 365 passwords to the users, so they can't go around to home PCs and install Office software.  I mention this information about the passwords for reasons that’ll become clearer in a moment.

 

Lately we’ve been seeing random instances of Office suites on staff PCs losing activation.  There’s a message to the effect that Office is having trouble signing in, and that the suite’s features will be deactivated by a certain date if signin isn’t fixed.  What’s odd—and it’s why I mentioned the passwords—is that when IT goes to sign the user back in, invariably the user’s Microsoft-generated password doesn’t work anymore (says the password is bad/incorrect), and must be reset.  Once the password is reset, sometimes it’s necessary to delete the licensing token for that user, and afterwards signin succeeds and the Office suite activates again normally.  In many cases, though, leaving the existing license token in place works just fine.  Users can’t reset their own passwords, so this isn’t something the staff is doing, and I also followed Microsoft’s admin center recommendation to disable password expiration, so they shouldn’t be expiring either.

 

One more wrinkle:  we recently patched and rebooted the file server that the tokens reside on, and that caused some (but not all!) users to lose their Office activations.  The server was inaccessible for less than 5 minutes during the reboot; several clients deactivated, even when Office was quit/relaunched or the whole PC was restarted.  However, we've also seen ProPlus clients become deactivated days after this reboot occurred (they worked after it occurred, then became deactivated days later).

 

With all of this in mind, I have the following questions:

 

1)  The incident with the file server restart aside, why do the deactivations happen spontaneously/at random?

 

2)  With regard to the file server incident:  how do we mitigate this going forward?  Sure the desktop apps should be able to recover from a momentary loss of network connectivity without immediately deactivating and becoming useless?  I'd understand if Office apps entered reduced functionality mode when an interruption is detected, but why do they stay that way when the server comes back up?

 

3)  Why are the temporary passwords becoming invalid?  That's crucial here--we have to reset the user's password every time activation is lost, which requires administrative intervention by IT.

 

It looks like we might be dealing with two separate issues, but I'm not sure.

 

Thanks for your help!