Has Office 365 been playing up last week?

I am a systems admin for a small business. I have had a lot of experience with Exchange, however this company has its email hosted with an Office 365 E2 plan, which I have not had exposure to in the past.

Last week I was tasked with changing a few user passwords. Seemed a simple request, just go in via the web interface, change it there, and then make the same changes on each user's Outlook 2010 client. The local AD is NOT federated.

Odd thing was, that the password changes did not "take" right away. In the first case I tried changing a second time, in another, I had the new password emailed to me. It took a random amount of time before each client popped up a requested for a new password. I was quite definite that I had changed a password, I had the email confirmation in front of me, and watched mail still being received without the credentials being changed.

The time seemed to vary between 2 and 24 hours after which each client needed the new credentials typed in.

This seems a HUGE security screwup; I would have expected a password change to happen almost right away.

Two questions:
1. Is this normal, expected behavior?
2. Did anyone else see something similar, around Wed 2-Sep?
LVL 23
Mal OsborneAlpha GeekAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vasil Michev (MVP)Commented:
Yes, it is the expected behavior. It's because of caching done on IIS side, token lifetime and whatnot. If this didnt happen in the first place, you would have to provide credentials for every action you take in Outlook. You can find more info for example in this article: http://blogs.technet.com/b/messaging_with_communications/archive/2012/06/27/part-ii-outlook-amp-owa-disabled-accounts-and-users-still-being-able-to-access.aspx

For the same reasons, disabling the account will not immediately have effect. If the goal is to prevent user from accessing the service, changing the password or disabling the account will not do the trick.

In addition, Outlook uses Basic auth when connected to EO, so it will cache the credentials in Credentials manager. Make sure to delete/update the credentials there as well.
Mal OsborneAlpha GeekAuthor Commented:
So, 24 hours is "normal"?
Vasil Michev (MVP)Commented:
You said it yourself, it varies.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.