Symptoms
If you type an incorrect set of credentials, and then cancel a password prompt, Outlook may continue to send requests with the incorrect set of credentials. This could cause an account lockout.
Resolution
To fix this issue, install April 2, 2019, update for Outlook 2016 (KB4464502).
After applying it, Outlook 2016 is disallowed to send requests by default during Need Password.
More information
With June 4, 2019, update for Outlook 2016 (KB4464585), the default behavior is changed to enable Outlook 2016 to send requests during Need Password. If you need to revert the previous behavior, set the value of the AllowRequestsInNeedPasswordBehavior registry key to 0.
Registry key
Location: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security
Value Name: AllowRequestsInNeedPasswordBehavior
Type: DWORD
Values:
The default value is 3. Any values greater than 2 allow both legacy and MAPI/HTTP providers to send requests during Need Password. This could lead to an account lockout if an incorrect password is supplied.
If the value of the registry key is set to 0, it disallows both legacy and MAPI/HTTP providers to send requests during Need Password.
If the value of the registry key is set to 1, legacy providers can send requests, but MAPI/HTTP providers can't.
If the value of the registry key is set to 2, legacy providers can't send requests, but MAPI/HTTP can.
