Outlook for iOS Account blocked after password change

maple85 · ‎May 20 2020

Hello @all!

Hope someone can help me solve this wired issue.

We have about 80 Intune Enrolled Devices. Just iOS.

My Users now gets pushed the Outlook App by Intune since we changed to this app.

Before they downloaded it from AppStore or Company Portal.

Outlook connects to Exchange Online.

We have a Outlook App Configuration Policy where we set under E-Mail Account configuration:

Configure email account settings

Yes

Authentication type

ModernAuth

Username attribute from AAD

User Principal Name

Email address attribute from AAD

Primary SMTP Address

Allow only work or school accounts

Disabled

Here is my problem:

Users have to change their Domain Password every 6 Month.

After this password change some Users get an Error message when they start Outlook what says:

Account Blocked - Your Account is Blocked. Please contact your System Administrator to unblock your account. (Attachment)

But the Account isn´t locked. Or I don´t know where to look?

At some users it worked again after two days. But I don´t know why this happened and how to solve it?

Now I have a User were it isn´t. I already retired and re-enrolled his device but with no luck.

Can someone please help me to figure this out why this happened?

I also checked on Exchange Online AdminCenter.

in "mobile device access" we do not have any policies

in "mobile device mailbox policies" we just have the default policy.

When I look in recipients mailbox under mailbox features Mobile Devices I see "Access granted"?

I hope it is clear what my problem is.

And sorry for the long text...

Thanks!

Moe_Kinani · ‎May 20 2020

@maple85

First thing came to my mind, do you have Conditional Access Policy that conflicts with your setup? Do you see any 'Device Access Rules' under Mobile section in Exchange Online?

Last resort, it could be App config policy, do you have legacy authentication disabled in your tenant? I would check the sign in log from Azure AD-> Add Filter-> Client App-> Check all the boxed to see if somehow these Outlook apps are trying to use something other than Modern Auth. This log should shed some light about the issue.

Good Luck!

Moe

Thanks!

Moe

maple85 · ‎May 21 2020

Hi,
I have checked your Suggestion.
On Exchange Online we do not have any device Access rules.

When I check the sign-in Logs I See some tries from „China, Chisinau Bangkok,...) Where someone tried to log in to his Account with imap4 as Client App.
Failure Reason: Account is locked because user tried to sign in too many times with an incorrect user ID or password.
Last try was 2nd May.

And yes we have two conditional Access policies who Block Legacy Auth and EAS.

Strange thing is That i did not See the sign in try in the azure logs.
User told me:
1) Open Outlook
2) Enter his password
3) Outlook wants Open Authenticator App
4) User Click on his Account in MS Authenticator App
5) Error Message

Thanks!
Philip

Moe_Kinani · ‎May 22 2020

Hi Philip,

I think the issue with CA policy, could you please create new/existing user and exclude from the CA policy? Let it expire (create dump expiration policy) and see how it goes.

I think you may need to block legacy authentication using Security Defaults from Azure AD, because the default ones in CA will be deprecated soon.

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-d...

Moe

Thijs Lecomte · ‎May 23 2020

I think it might be a coincidence that your users are getting this prompt as you have spotted malicious sign-ins.

If a lot of failed sign-ins happen in a short timespan, the account can get locked as specified in https://portal.azure.com/#blade/Microsoft_AAD_IAM/PasswordProtectionBlade

I would recommend also disabling legacy authentication using Authentication Policies in Exchange Online. Because this would make sure an account isn't locked due to failed sign-ins while using legacy authentication

maple85 · ‎May 26 2020

Thank you for that tip.
But last malicious sign-ins were on 2th May but it is still not working.

If I create this policy on Exchange, what I think is a good idea, I think I will get troubles with some old services what use smtp...?

Thanks, Philip

maple85 · ‎May 27 2020

Hi All,

I found a solution.

The Problem was that the iPhone saves Accountinformation in Key-Chain.

I downloaded the OneDrive App.

Open Settings -> OneDrive -> Clear Account Data

Then opened the OneDrive App to delete data.

in Azure AD I clicked on Revoke MFA session and reinstalled Outlook.

After this steps it worked.

This article pointed me to the right direction:

https://microsoftteams.uservoice.com/forums/555103-public/suggestions/37422262-ios-apps-cannot-clear...

Frank Maxwitat · ‎Aug 30 2021

A customer of mine had a similar issue (which is why I came across this page). After a password change, a user's account got repeatedly locked out when synchronizing Outlook on an iOS device. The sync started but stopped after some time with the message that the account is locked out. Factory-resetting the iOS device or replacing it didn't help. 2 out of 60 users affected. The feedback I got was that the issue was finally fixed when replacing German special character (ä,ö,ü) in the passwords. I can't give any more background but describe the issue to prevent others from getting crazy.

Outlook for iOS Account blocked after password change

Outlook for iOS Account blocked after password change

Re: Outlook for iOS Account blocked after password change

Re: Outlook for iOS Account blocked after password change

Re: Outlook for iOS Account blocked after password change

Re: Outlook for iOS Account blocked after password change

Re: Outlook for iOS Account blocked after password change

Re: Outlook for iOS Account blocked after password change

Re: Outlook for iOS Account blocked after password change

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Outlook for iOS Account blocked after password change