Okta's Password policy evaluates and counts login failures separately for Basic Auth and standard Okta login. This can result in behavior that appears to lock out users before reaching the maximum configured number of failed logins.
For a user who has failed logins when trying to connect to Okta from Azure AD, an admin will see failed login events on the /app/office365/{{id}}/sso/wsfed/username13? endpoint.
If the same user then logs in successfully in Okta through the normal flow (which uses the /api/v1/authn endpoint), this will not reset the failed login counter for Azure AD.
If the user continues to fail to log in through Azure AD, the user will be locked out seemingly before reaching the configured failed login threshold.
Clear the user sessions for the affected users to clear the cached credentials from the Office365 applications and prompt the user for the up-to-date credentials upon their next attempt to launch an Office365 application.
