<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008C3jgWSAROkta Classic EngineOkta Integration NetworkAnswered2024-04-30T09:18:25.000Z2017-09-13T11:41:39.000Z2017-09-13T11:41:39.000Z

ChristophM.79734 (Customer) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
Locked out user can still login to Office 365 apps
Hi

a user changed his password yesterday. His mobile device kept trying to login with the stored credentials. This led to "Account locked - max sign-in attempts exceeded" message in the suspicious activity report.

This is now 7hours ago.

The user is shown as locked out in Okta management. The account is coming from Active Directory. The account there is still unlocked.

When the user tries to sign in to okta via browser - he cannot. OK

When the user tries to sign into Office 365 via browser - he cannot.OK

But his Outlook and Skype are connected, receive mails and work ok. He can even logout from Skype for Business and login again - why?

Thanks for help

Christoph
  • 1 answer
  • 1.89K views

  • j5v7c (j5v7c)

    The reason for this is because the refresh token that the Office thick client(s) receives from O365 after successful authentication has a lifetime of 90 days. The Office thick client must be re-authenticated all the way back to Okta only after this 90 days has elapsed.  The browser access does not have the refresh token and checks every time which is why it works.

     

    Since 90 days is a long time, best practice for quickly removing a user's access to O365 is to de-activate and/or remove the user's licenses via Okta's O365 provisioning integration or via the  O365 console if you really want to block the access.
    Expand Post
This question is closed.
Loading
Locked out user can still login to Office 365 apps