Locked out user can still login to Office 365 apps Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Christoph MülderChristoph Mülder 

Locked out user can still login to Office 365 apps

a user changed his password yesterday. His mobile device kept trying to login with the stored credentials. This led to "Account locked - max sign-in attempts exceeded" message in the suspicious activity report.
This is now 7hours ago.
The user is shown as locked out in Okta management. The account is coming from Active Directory. The account there is still unlocked.
When the user tries to sign in to okta via browser - he cannot. OK
When the user tries to sign into Office 365 via browser - he cannot.OK
But his Outlook and Skype are connected, receive mails and work ok. He can even logout from Skype for Business and login again - why?
Thanks for help
Kevin TurnerKevin Turner (Okta, Inc.)
The reason for this is because the refresh token that the Office thick client(s) receives from O365 after successful authentication has a lifetime of 90 days. The Office thick client must be re-authenticated all the way back to Okta only after this 90 days has elapsed.  The browser access does not have the refresh token and checks every time which is why it works.

Since 90 days is a long time, best practice for quickly removing a user's access to O365 is to de-activate and/or remove the user's licenses via Okta's O365 provisioning integration or via the  O365 console if you really want to block the access.