"Access Denied" error, or the user is repeatedly prompted for credentials, when the user tries to access an Office 365 resource from a rich client application

When a user tries to access a Microsoft Office 365 resource from a rich client application, the user experiences one of the following symptoms:

• The user is repeatedly prompted to enter his or her credentials.
• The user receives the following error message:
  Access Denied

This behavior occurs if the user's password has expired in Office 365. When a user's password expires, access to Office 365 resources is immediately limited. For rich client authentication, the change in access occurs without a detailed explanation. This is because rich client applications cannot provide password expiry notification and password reset functionality for a user ID.

To resolve this issue, follow these steps:

1. Reset the user's password. To do this, follow these steps:
   1. Open a web browser, browse to the Office 365 portal (https://portal.microsoftonline.com (https://portal.microsoftonline.com) ), and then sign in by using the user's expired credentials.
   2. When you are prompted, enter a new Office 365 password for the user. Make sure that the password meets the criteria for Office 365.
2. Download and install the latest version of the Microsoft Online Services Sign-in Assistant to enable password expiry notification. To do this, follow these steps:
   1. Sign in to the Office 365 portal (https://portal.microsoftonline.com (https://portal.microsoftonline.com) ) by using the user's new password.
   2. On the Home page, in the pane on the right side, click Downloads, and then under Set up and configure your Office desktop apps, click Set up.
      
      Note After you complete this step, Office 365 Desktop Setup runs again. This updates the Microsoft Online Services Sign-In Assistant installation package on the client computer. This updated package enables password expiry notifications and password reset. The updated package for the Microsoft Online Services Sign-In Assistant can also be manually downloaded from the following Microsoft website:
      http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=28177 (http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=28177)

The following features are introduced in version 7.250.4287.0 of the Microsoft Online Services Sign-in Assistant package:

• Password expiry notification
  
  For users of Office 365 rich client applications (However, this does not include Microsoft Outlook), a notification balloon is displayed on user's desktops 14 days before the 90-day password expiration time-out to notify users that they have to change their password. Users are prompted every day after that until the user changes his or her password.
  
  Every time that authentication is made through the Sign-In Assistant's authentication stack, the Sign-In Assistant uses the credentials that are supplied by the user to check the password expiry status for that user account.
  
  Note Because Outlook connections authenticate without the Sign-In Assistant, the Outlook connection does not trigger the Sign-In Assistant to check password expiry status.
• Password reset
  
  When the notification balloon is displayed within the 14-day period, users can perform one of the following actions:
  • Ignore the notification. After 5 seconds, the balloon is no longer displayed on the desktop.
  • Click X to close the window.
  • Click the balloon to change the password. Users are then redirected to the Office 365 portal where they can change their password.

For information about related technical issues, click the following article numbers to view the articles in the Microsoft Knowledge Base:

• 2637629  (http://support.microsoft.com/kb/2637629/ ) How to troubleshoot computer issues that limit Office 365 rich client authentication
• 2461628  (http://support.microsoft.com/kb/2461628/ )  A federated user is repeatedly prompted for credentials when they connect to the AD FS 2.0 service endpoint during Office 365 sign-in