@nielsk @unixtippse I think from a security point of view, it's better when it doesn't work. More than that, every time your server sees a user successfully log in from a Microsoft IP, it should reset (or disable) that user's password, since you have to assume it's compromised.