Enabling Azure MFA causes user account to lockout in AD

Copper Contributor

Currently we are in a hybrid environment where we utilize ADConnect to sync passwords up to our Azure AD tenant.  All user mailboxes are on Office 365 with an Exchange 2010 SP3 environment on prem.  We also have Skype for Business on prem as well.  Please don't ask why we are setup this way.   Management and their infinite wisdom.  The users we are testing with have Office 2016 and I've enabled modern authentication for Exchange Online and verified they are connecting that way.  Well anytime I enable a user for MFA after about an hour or so they start getting prompted in Outlook and Skype for their credentials.  Entering them do not work nor does the app password.  What it turns out to be is their accounts are locked out in our on prem AD.

 

We've tried clearing out all credentials and that works sometimes.  My question is has anyone run into a scenario such as this where the users account locks out a while after MFA is enabled?  If so did you find a resolution?  We can't move forward with this until this won't happen everytime we enable someone.

 

Thanks in advanced.

9 Replies

Hi Derek,

 

Do the user have any other devices connected ?

 

I have seen in the past, that some devices do the lockout, that could be your cause.

Hi Nuno,

 

Users usually have a mobile device, but we go through and enroll them via MS Intune Company Portal before hand.  Once the user has MFA enabled we then go through the process of setting up their App Password which is then entered into the credentials section of the mail app they are using.  It usually accepts this part and contiues to sync.

 

I am wondering if this part is done too soon before everything has time to replicate causing the lockout.

 

Thanks

Just use app passwords, that are generated when you enable MFA. These passwords should be use for all non-web apps.

We are seeing the same issue. We have tried using both app passwords and the modern authentication. We get a continual password request loop from outlook that eventually locks the user account out.  We have ensured that exchange online is configured to allow modern auth. Did anyone come up with a solution.

We are having this issue also. We've determined that it's only the Skype 2016 client having the issue. It seems to be related to the initial connection to Skype. When you start up the computer, restart the computer, undock and redock the computer or if you open Skype at any point during the day.

I found an article on a similar issue that mentioned that the Skype client tries to authenticate to Exchange. I don't know what credentials is uses to connect, but neither the user's network password or the App Password work when the authentication boxes begin after opening Skype.

We're still looking for a resolution to this issue.

We are having the same issue.

Was there solution on this.

We found a solution.  Not use Azure MFA that MS has to offer since it is so buggy and lacking support and use a 3rd party solution.  We switched to Duo and it is light years ahead of MS in terms of functionality, administration, reporting and most importantly support.  I know that's an expense companies may not be looking for, but we were tired of fighting all the issues that came with Azure MFA and lack of support.  The conditional access policies they are pushing people towards aren't mature enough yet.

same issue here.

We have the same thing going on with Modern Authentication. I believe it has to do with our autodiscover records (SCP and DNS) pointing at our on-prem 2010 Exchange server (which doesn't support modern auth). I'm going to be changing it to point at Office 365 autodiscover this week. Hopefully it fixes it.