I would be happy to know any ideas why a single user in a Microsoft 365 tenant would suddenly lose access to some M365 services, like Exchange Online and Microsoft Forms.
I came across this when email sent to that user stopped being delivered as if the email address no longer existed. I checked user details in M356 admin center and noticed that some apps were unchecked under Licenses and Apps tab. I selected all apps and saved changes which solved the issue.
I have no idea what had caused this. I'm sure none of the admins did this on purpose. User affected also happened to be one of the global admins. As a precaution, I reset the password, scanned their workstation for malware and asked about any potential phishing emails received lately.
I have also done the following to find some signs of compromised account, but found nothing suspicious:
- Checked outgoing email statistics of the tenant
- Checked outgoing email (message trace) of the affected user during the incident and a few days prior
- Checked forwarding settings and inbox rules of all accounts
- Checked last sign in times of all admins
My biggest questions are:
- What could cause an incident like this, if not malicious actor?
- If an admin account was compromised, why would attacker do something like this?
