user lockout and it does not report in event viewer

Question

user lockout and it does not report in event viewer**, lockouts occur often could this be an account on a iphone and if so what are the settings I'd look for.**

Answer 1

If a user account is frequently locked out and the events are not reported in the Event Viewer, it could be due to several reasons, including the use of an iPhone or other devices that may be trying to authenticate with outdated credentials. Here are some settings and considerations to look into:

1. Old Password Usage: Ensure that the user is not using an old password after a recent change. This is a common reason for lockouts.
2. Application or Service Credentials: Check if any applications or services are using the account with old credentials. If the account is used in multiple places, ensure all instances are updated with the new password.
3. Password Synchronization: If the password was changed in a different environment (like on-premises AD), ensure that it has synchronized properly with the managed domain.
4. Account Lockout Settings: Review the account lockout settings, such as the maximum number of failed attempts before lockout and the duration of the lockout period. For example, the default is often set to 5 failed attempts in a short time frame.
5. Monitoring Tools: Utilize monitoring tools like Microsoft Entra Connect Health to track account activity and receive alerts for failed sign-in attempts, which can help identify the source of the lockouts.

If the issue persists, further investigation into the specific device settings on the iPhone may be necessary, such as checking for saved passwords in apps or the mail settings that might be using outdated credentials.