00ulgfgbsCXXkq9J33561.557849654861264E12 (Customer) asked a question.
Hi,
We have just moved our org to Okta to have O365 SSO for our Active Directory users. Onboarding went fluent and it mostly works great.
One of our users reset his password today. That user is able to login to his AD computer using his new password. But he cannot access his mailbox (both desktop Outlook and webmail via outlook.office.com) with his new password. He tried old password and it still works for mailbox. Our other users reported that they have to wait 10-15 minutes before their new passwords start working for their mailboxes. So we waited. Still not good after 5 hours...
Few more details. Delegated authentication to Active Directory is enabled in our Okta settings. I am also a bit concerned about Directory Sync Status shown on O365 admin center, it frequently indicates that last directory sync was several hours ago.
Where should I start troubleshooting?
We've had similar issues. The problem seems to be that Office 365 does not consistently send the client back to Okta for authentication. It's caching their credentials somewhere, most likely in a cookie or maybe in the Windows Credential manager. My guess is that they've made changes to credential caching to assuage business users who complained about having to authenticate too often. For long stretches at a time, I've been able to log into my mailbox from my personal (non-domain-joined) Macbook without even being prompted for a username and password! I don't see this as an Okta issue if any service provider doesn't redirect the user for authentication.
Re: directory sync - are you syncing with your Active Directory domain, and if so, are you using a recent version of Azure AD Connect? If so, it should be doing a delta sync every 30 minutes. If you're not seeing that in the O365 admin console, then someone needs to review the sync tasks on the Azure AD Connect server and see if there's a problem.