Exchange online locking users after token refresh? RRS feed

  • Question

  • Hi, 

    I work the helpdesk for our organization and i've been getting at least two calls every day about someone getting locked out of their accounts. I have Azure security reader privilege and have been digging into our logs to try and understand what is causing this issue. Here is an example: Every time its been office 365 exchange online that fails


    Looking at the audit logs i'm noticing that the account lock happens after a token refresh:

    A few seconds after the token refresh the account gets locked, at least that what it looks like. Unless there is something else im missing. It really does seem like a bug.

    A few other things to note:

    -Every single time this has happened, its during a connection to Exchange online. (see the first screenshot)

    -All users who experience this have been using Chrome as their primary browser. I have not seen this happen with any other browser. 

    -This issue started happening about 3-4 weeks ago. Prior to that, this has never happened. 

    -We do have a large portion of our users who use multiple devices/computer to connect to their email and travel quite a bit. 

    -I know there were some Exchange online service alerts/incidences but those didn't sound like they were the same thing. 

    Any thoughts? Is anyone else experiencing this?

    Friday, August 23, 2019 12:01 AM

All replies

  • Sorry i can't attach screenshots, its saying my account has not been verified. 
    Friday, August 23, 2019 12:06 AM
  • So are they only using the browser client/OWA? No Outlook apps? No mobile devices?
    Friday, August 23, 2019 7:57 AM
  • They are also using iPhones to check email (the native mail client), but thats not new, they have been using that for a few years now. Only about 3 weeks ago did something change and now they are getting locked out. 
    Friday, August 23, 2019 4:58 PM
  • It might just be the iPhones though, so try temporary disabling the mail app there. And what exactly do you see in the Azure AD sign-in logs for that user?
    Saturday, August 24, 2019 6:39 PM