Users are locked out with multiple failed login attempts via a Rich Client.

• Microsoft Office 365 (O365)
• Outlook Thick Client
• Okta Classic Engine

Search for the eventType eq “user.authentication.auth_via_richclient” in the system logs.

Check the User Agent and IP address to verify if the logins are from valid devices/IP addresses. 

• If the device and IP address are recognized, it usually relates to the stale credentials in the local Keychain Access application, where the username credentials are cached.
• If these are not valid, further investigation will be needed to understand who, why, and where these User Agent and IP addresses are coming from.

Whenever an Office 365 thick-client application session expires, Microsoft automatically grabs the credentials stored in the local credential manager storage on the desktop and then passes those credentials back to Okta for authentication with the IDP. If the credentials are no longer valid, a user's authentication via Rich Client failures will appear since authentication with the Identity Provider (IdP) was unsuccessful.

1. Delete any cached Microsoft passwords and reboot the machine: 
   • Open the Credential Manager app on Windows (for Mac, open the Keychain access program).
   • Locate and remove any Microsoft/Outlook-related credentials.
   • Log out and log back into the machine.
2. Confirm with the User if they are using their Okta password on the Windows Login screen or a different password. If not synced properly, the user might still be able to access their device with a non-Okta password. While it allows access to the device, Okta will log the event as a failure since it did not receive the expected Okta password. 
   • Sync/Reset the User's password on the machine to match their Okta password.