Hope I posted this in the correct group. Please redirect me in case it isnt.
We have complex Problem ticket going on, which we would sincerely appreciate an extra view on and possibly the resolution to it. I will use fictional domains for confidentiality purposes.
We use O365 with one-directional sync from our on-prem ADC (which is in AWS).
When we implemented the environment 2 years ago, we set up our AD domain using dummy.contoso.com, and the UPN to all our domain services including O365 was email@example.com. About 4 months ago, we decided to align our UPN to the domain we use in our email addresses, thus changed the UPN for all users to firstname.lastname@example.org. Post doing so, we did not receive any errors or related requests from users, and considered the change to be successful.
Now, since probably 1-2 months back, we have been experiencing several irregular incidents related to Account Lockout caused by password resets and O365 MFA-activation. During Problem Management, we tried to summarize these incidents into categories, but each case is quite unique, though we have a feeling that they all root down to an underlying issue after changing the UPN.
Some of the incidents are listed below.
- An account was being repeatedly locked out for no apparent reason.
- We tried to reset his password and unlock his account but it still got locked out repeatedly.
- After extensive troubleshooting, it turned out that there was several attempts at logging into his account from several different AKAMAI servers around the globe. Microsoft confirmed that these were AKAMAI servers, but could not explain why the attempts was made from these servers.
- His password was due to expire in 4 day
- He has 3 devices (Laptop, iPhone and iPad, both mobile devices using native email app)
- He was within our trusted network when trying to reset the password
- An account experienced lockouts in the middle of a weekend
- The password was not due to change, and he hadn’t reset the password for a while.
- An account got locked out post resetting the password on the domain computer using ctrl+alt+del
- Unlocked the account, but Outlook and native mail app on her iPhone was not accepting the password. Even after several attempts where the clients would not accept the password, the account was not locked out in AD.
- Reset the password again directly in AD and tried to update the clients, but it still wouldnt accept.
- Closed all O365 clients and flushed stored Windows Credentials
- Reopened the clients and it accepted the new password. After a few minutes, the UAC prompt again reappeared.. Closed the Prompt and then it didnt reappear. Finally it synced.
- MFA is dysfunctional on several O365 Admin accounts
- We activated MFA and assigned App passwords after the UPN change
- For some admins, it is not possible to sign into services like Skype fB, Teams etc. Meanwhile for others, some of the services work, some don’t
- Again disabling the MFA on failing accounts, it have taken a while before its even possible to log back into o365 clients using the regular password.
- Android devices cannot log into Teams, Onenote, VSTS etc
- Sporadically, some users cannot log in to O365 sites
- Mobile devices won't prompt to update the password post resetting it in AD, and eventually they produce Account Lockout.
Related technologies and policies:
- Exchange Online
- Sharepoint Online
- Microsoft Teams
- Visual Studio Team Services
- ADC in AWS: Windows Server 2012 R2 Standard
- RDC in branch offices: Windows Server 2012 R2 Standard
- OS: Windows 7 Enterprise and Windows 10 Enterprise - domain joined
- Password policy is set to expire every 60 days
- The old UPN is cached on the computers, and O365 services try to authenticate using these (resolving these days)
- In the backend of O365/Azure/On-Prem ADC, something got corrupted when we changed the UPN
What we want to do to proceed:
- Find similar customer case, where the UPN was changed for On-Prem AD and O365. How did they conduct the change, and did they experience similar issues?
- What is the behavior of AD and related services when you change the domain for an existing user account.
- What are the Best Practices for conducting the UPN/Domain change in similar environments?