Share via

Why EX1256020 is still haunting our mobile users

Forrest Jess 125 Reputation points
2026-03-30T14:19:34.1566667+00:00

I’m currently struggling with the fallout from the EX1256020 incident where our Outlook mobile and Mac users are still getting hit with intermittent session timeouts. Even though Microsoft claimed to revert the 'new virtual account' change that triggered the mess, we’re seeing a massive lag in token propagation, leaving half our users stuck in an authentication loop. It feels like the backend is still trying to validate against a service principal that doesn't fully exist anymore, and I need to know if there's a manual way to kick the tenant’s identity cache into gear or if we’re just at the mercy of the global TTL.

Exchange Online
Exchange Online

A cloud-based service included in Microsoft 365, delivering scalable messaging and collaboration features with simplified management and automatic updates.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Steven-N 24,365 Reputation points Microsoft External Staff Moderator
    2026-03-30T15:15:47.9733333+00:00

    Hi Forrest Jess

    Thank you for reaching out to Microsoft Q&A forum and apologize for the inconvenience

    To better assist you, could you please provide me additional information about:

    1. Does the problem reproduce only on Outlook mobile + the new Outlook for Mac, while Outlook on the web (OWA) and other clients remain stable for the same users?
    2. In Microsoft Entra sign-in logs for an affected user, what exact failure reason/error code shows during the loop and which Conditional Access controls are being applied?
    3. Is the impact clustered (same region, same subset of mailboxes, or spikes after mailbox moves/failovers), and do you see related transient/service errors around the same timestamps?

    I am looking forward to hearing from you

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.  

  2. Q&A Assist
    2026-03-30T14:19:50.8533333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    There is no supported manual method in the provided documentation to force-refresh or “kick” an Exchange Online or Microsoft 365 tenant-wide identity/token cache beyond the normal token and metadata refresh mechanisms already built into the service.

    From the available information:

    • Microsoft 365 relies on Microsoft Entra ID access and refresh tokens with fixed lifetimes. Access tokens are typically valid for 1 hour, and refresh tokens can be valid for up to 90 days with continuous use. When access tokens expire, clients use refresh tokens to obtain new access tokens as long as the original authentication is still valid. There is no documented tenant-level control to shorten or bypass this global behavior.
    • For hybrid Modern Authentication with Outlook for iOS and Android, the only relevant “manual refresh” operation in the context is for EvoSTS certificate metadata on Exchange on-premises, using Set-AuthServer EvoSts -RefreshAuthMetadata. That mechanism is specific to on-premises hybrid scenarios and does not provide a general-purpose cache flush for Exchange Online or Microsoft 365 tokens.

    Given the context, remediation of issues like EX1256020-related mobile session problems depends on:

    • Normal expiration and renewal of Microsoft Entra ID tokens (global TTL behavior).
    • Any service-side fixes or incident mitigations Microsoft deploys.

    No supported, documented PowerShell cmdlet or admin action is provided here that would immediately invalidate or repoint all existing mobile/Mac sessions to a different service principal or identity configuration on demand.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.