Share via

outlook lock out

Admin Michael Timmerman 0 Reputation points
2026-04-20T22:05:02.6366667+00:00

I have an employee who is constantly being locked out of an email account. The email account is from his predecessor but uses it to monitor because the previous employee worked her for 30 years and left abruptly on bad terms. he has his own email account that we are trying to get all correspondence moved to but haven't made it there. the old account gets locked up almost every day. any help would be appreciated. thank you

Outlook | Web | Outlook on the web for business | Security
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sophie N 14,210 Reputation points Microsoft External Staff Moderator
    2026-04-21T00:20:07.4666667+00:00

    Dear @Admin Michael Timmerman,

    I understand that daily account lockouts cause a lot of inconvenience, especially when trying to manage the transition between the predecessor's mailbox and the current employee's workflow.

    Based on the case of the account being used for "monitoring" and having a history of sudden departures, the account lockout may be caused by an Account Lockout Threshold policy, triggered by incorrect login credentials sent from forgotten devices or applications. If possible, could you take a screenshot of the lockout so I can investigate further?

    Below is a brief plan to resolve this issue (Note that if you are a user, you need to request these steps from the global administrator):

    Step 1: Identify the Source of "Bad" Requests

    The daily lockout suggests a device, script, or application is still trying to log in using the predecessor's old password.

    • Please check the Microsoft Entra (Azure AD) Sign-in logs for that specific account.
    • Look for "Failure" status codes. The "Client App" and "IP Address" columns will tell you if the requests are coming from a mobile phone, an old workstation, or an external mail app (like IMAP/POP).

    Please refer to this document: Sign-in logs in Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn

    Step 2: Convert to a Shared Mailbox

    Since you are trying to move correspondence to the new employee's account, the most stable and professional method is to convert the old account into a Shared Mailbox.

    Shared mailboxes do not require a password for access (users use their own credentials) and do not consume a license. This immediately stops "password-based" lockouts for the employee.

    • Go to the M365 Admin Center > Active Users. 
    • Select the old user > Mail tab > Convert to shared mailbox. 

    User's image

    • Under Mailbox permissions, add the new employee with "Full Access" and "Send As" permissions. User's image

    Please refer to this document: Convert a user mailbox to a shared mailbox

    Step 3: Clear Stored Credentials

    If the employee has the old account added as a secondary "Exchange" account in their Outlook desktop app, the local machine might be caching the old password.

    • On the employee's computer, go to Control Panel > User Accounts > Credential Manager > Windows Credentials. Remove any entries related to the predecessor's email address.

    To finish the transition, you can set up a Forwarding rule within the Shared Mailbox settings to automatically send all new incoming mail to the new employee’s primary address.

    Please refer to this document: Configure shared mailbox settings - Microsoft 365 admin | Microsoft Learn

    By converting the account to a Shared Mailbox, you eliminate the need for the employee to know the "old" password, effectively ending the lockout cycle while maintaining access.

    If you have any updates or if anything is unclear in my response, please feel free to leave a comment directly under this post. Doing so makes it easier for me to stay notified and continue supporting you here in the discussion. While I’m limited by my role and can’t directly intervene with account access, explaining the process clearly and guiding you to the right specialized support is the most effective help I can offer from my position.

    I’ll be glad to continue the discussion with you. Thank you for your understanding.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".   

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Q&A Assist
    2026-04-20T22:05:13.1833333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Frequent lockouts usually mean repeated sign-in failures or background apps repeatedly trying old credentials. For a legacy/shared mailbox being monitored, use these steps to stabilize access and improve security:

    1. Stop the repeated bad sign-ins
      • Make sure no one is using old or incorrect passwords for that mailbox on any device (PCs, phones, tablets, shared computers, old Outlook profiles, mobile mail apps, printers, scanners, etc.).
      • Remove the old mailbox profile from any classic Outlook or mobile mail apps where it might still be configured.
      • If classic Outlook keeps prompting for a password, verify the username is the full email address and that the password is current. If the password was changed recently, update it in Outlook so it does not keep sending the old one.
    2. Change the password and secure the account
      • Change the password for the old mailbox to a strong, unique one that only the current employee (and IT/admins) know.
      • Set up two-factor authentication (2FA) on the account if available in the tenant. This reduces the chance of external attackers causing lockouts.
    3. Use safer access patterns for the legacy mailbox
      • Instead of having the employee sign in directly as the old user, configure the old mailbox as a shared mailbox (if using Microsoft 365) and grant the employee Full Access/Send As permissions. Then the employee signs in only with their own account and opens the old mailbox as an additional mailbox.
      • This avoids separate credentials and reduces lockout risk.
    4. Reduce exposure of the old sign-in identity
      • If this is a consumer Microsoft account (Outlook.com), consider adding a new alias and making it the primary sign-in, then disabling sign-in with the old alias so it can still receive mail but cannot be used to log in. This helps prevent attackers from repeatedly trying to sign in with the old address.
    5. Plan the migration and decommissioning
      • Complete the move of all important correspondence from the old mailbox to the employee’s own mailbox (or to a shared mailbox).
      • Once all required data is moved and retention requirements are met, stop using the old mailbox for interactive sign-in and, if appropriate, disable it or keep it only as an archive/shared mailbox.

    If the account is a personal Microsoft account (Outlook.com) and is being locked due to suspicious activity, use the “Unblock my Outlook.com account” and “Request for Account Reinstatement” options described in the referenced guidance, and avoid repeated sign-in attempts for at least 24 hours after a lockout.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.