September 3, 2019
Office 365

How to Prevent Office 365 Account Lockouts

John Wu headshot
John Wu Senior Solutions Engineer

Office 365 lockouts are a major employee productivity issue – here are tips and tricks to stop account lockouts.

Leon's Tech Insight

Active Directory account lockouts caused by brute force attacks on Office 365 are one of the top reported issues for Office 365 customers. According to Microsoft, there are more than 300 million fraudulent sign-in attempts every day. Because a breach may not have occurred, it is not the highest security concern. Nevertheless, it is a major employee productivity issue and overloads IT with support cases. If your Office 365 domain is federated with Idaptive, here are four things that can help stop account lockouts caused by brute force attacks on Office 365.

  1. Disable legacy email protocols such as SMTP, POP, and IMAP. Protocols that use basic authentication are vulnerable to scripted brute force attacks and do not support multi-factor authentication or Microsoft’s Conditional Access policies. These protocols are rarely used nowadays but enabled by default in Office 365.
    1. Enable Office applications to use modern authentication - Details here
    2. Disable legacy protocols for mailbox accounts. You can disable for all users but leave it enabled for specific user accounts that may still need it, for example SMTP for an account used by a network printer. Details here
  2. Go passwordless with multi-factor authentication. Replace password authentication with non-password authentication, to avoid wrong passwords from being entered. Here is a brief video demonstration of how Outlook can be set up without a password.
    1. Enable passwordless authentication for the Idaptive User Portal login. Details here
    2. Optionally enable passwordless authentication at the app level if there is a security requirement for additional MFA. Details here  
  3. Restrict how email is accessed on mobile devices.
    1. Use the Outlook mobile app instead of the native email client. Native email clients use the ActiveSync protocol, which does not use modern authentication. The Outlook mobile app supports modern authentication and will redirect users to Idaptive for passwordless authentication.
    2. Implement MDM/EMM for mobile devices to:
      • Enforce a passcode on the device.
      • Have the ability to wipe the device if lost or stolen.
      • Have the ability to remotely remove (selectively wipe) the Outlook mobile app from a BYOD/personal device, when the employee no longer works for you.
    3. Implement ActiveSync quarantine to control which devices can access email via ActiveSync. Details here  

Looking to get started with Idaptive? Check out our free 30 day trial here