-2

Today I came to a pal and he was insecure because he changed his Office 365 password in his OWA web app but he did not need to update it on other devices afterwards (like his iPhone, etc.) - so he thought he was spoofed by a spammer site.

So we went to another PC, logged in into his Office 365 account (with the new password) and changed it again. And again it was not required to update the other devices. They just worked (and still do) which I could not explain, I had to admit.

I can imagine that Microsoft apps like Outlook, Mail & Calendar sync their accounts with the Microsoft Live account used to log into Windows. Kind of single-sign-on. No problem. But I am really thrilled that the iOS mail app did not request an update to its settings.

Can anyone explain this to me please?

Waescher
  • 99
  • 1
  • 1
  • 4
  • Maybe I should add that the iOS mail settings dialog - once opened - only accepts the new password. However sending and receiving mails remains possible even after the device was restarted. – Waescher Jul 06 '15 at 19:15

1 Answers1

1

There is a delay in a session expiring in Active Sync after a password is changed. The user token (given out by the server) on the device will provide credentials that the session is still the same, which is why that device didn't immediately require a password change. The device WILL prompt, but this could take a while depending on policy. This article provides a good explanation: Why does my old password work via Activesync?

In similar fashion, disabling an AD account is not sufficient to immediately disable access to ActiveSync, or even OWA for that matter.

Link to a previous answer I provided: https://serverfault.com/a/682464/255009

For something as simple as a password change, the answer is simply "Eventually, the user will get prompted to enter the new password." In the event of an immediate termination of access, don't rely on just disabling the AD account.

Community
  • 1
blaughw
  • 2,267
  • 1
  • 11
  • 17
  • I will provide links to best practices. – blaughw Jul 06 '15 at 19:23
  • That's what I thought as well - but it was hours ago since then and he still receives my test mails. I'll mark this as answer once I get no answer mails back anymore ;) – Waescher Jul 06 '15 at 19:26
  • Restating IIS on the mailbox server will initiate a new session. Of course it would do this for any clients attached as well, and depending on your environment this may not be a good idea. – blaughw Jul 06 '15 at 19:28
  • It took about 18h until the iPhone requested the new password. At least he wrote me that a few minutes ago. Easy thing, however I did not think that it could take this long. – Waescher Jul 07 '15 at 11:20