Invalid credentials with M365 login

Infos:

  • Used Zammad version: 4.1.x
  • Used Zammad installation type: package
  • Operating system: Ubuntu 18.04
  • Browser + version: Chrome, Edge, Brave

Expected behavior:

  • Login with M365 user works as expected

Actual behavior:

  • After choosing the Office 365 login, user gets ask for mail address and password and receives the invalid credentials error page.

Steps to reproduce the behavior:

  • Try login with M365 mail address and password.

We have 2 Zammad systems, each of them running on separate servers. The user was able to login in both systems using the M365 credentials as off Friday last week. User is also able to login to portal.office.com using the same credentials as well as to other systems that use the M365 login option. Both Zammad systems have about 200 users and this only happens to one user. User has not changed passwords or anything.
The Azure Sign-in Logs show the log-in a successful, but still the user gets the invalid credentials message.
App registrations and client secrets are ok since all other users can log-in without any issues.
Tried different browsers, incognito mode, cleared cache, tried from phone and tablet.

Excerpt from production.log (grep for invalid_credentials):

production.log.1:I, [2022-01-31T13:48:50.341005 #892-1923700]  INFO -- : Started GET "/auth/failure?message=invalid_credentials&origin=https%3A%2F%2Fit-helpdesk.asmobil.ch%2F&strategy=microsoft_office365" for 62.2.199.150 at 2022-01-31 13:48:50 +0000
production.log.1:I, [2022-01-31T13:48:50.348076 #892-1923700]  INFO -- :   Parameters: {"message"=>"invalid_credentials", "origin"=>"https://it-helpdesk.asmobil.ch/", "strategy"=>"microsoft_office365"}
production.log.1:E, [2022-01-31T13:48:50.357006 #892-1923700] ERROR -- : Message from microsoft_office365: invalid_credentials (Exceptions::UnprocessableEntity)
production.log.1:E, [2022-01-31T13:51:35.774344 #892-1983980] ERROR -- : (microsoft_office365) Authentication failure! invalid_credentials: OAuth2::Error, {"code"=>"UnknownError", "message"=>"<!DOCTYPE html>\r\n<html>\r\n    <head>\r\n        <title>Runtime Error</title>\r\n        <meta name=\"viewport\" content=\"width=device-width\" />\r\n        <style>\r\n         body {font-family:\"Verdana\";font-weight:normal;font-size: .7em;color:black;} \r\n         p {font-family:\"Verdana\";font-weight:normal;color:black;margin-top: -5px}\r\n         b {font-family:\"Verdana\";font-weight:bold;color:black;margin-top: -5px}\r\n         H1 { font-family:\"Verdana\";font-weight:normal;font-size:18pt;color:red }\r\n         H2 { font-family:\"Verdana\";font-weight:normal;font-size:14pt;color:maroon }\r\n         pre {font-family:\"Consolas\",\"Lucida Console\",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}\r\n         .marker {font-weight: bold; color: black;text-decoration: none;}\r\n         .version {color: gray;}\r\n         .error {margin-bottom: 10px;}\r\n         .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:pointer; }\r\n         @media screen and (max-width: 639px) {\r\n          pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }\r\n         }\r\n         @media screen and (max-width: 479px) {\r\n          pre { width: 280px; }\r\n         }\r\n        </style>\r\n    </head>\r\n\r\n    <body bgcolor=\"white\">\r\n\r\n            <span><H1>Server Error in '/Profile' Application.<hr width=100% size=1 color=silver></H1>\r\n\r\n            <h2> <i>Runtime Error</i> </h2></span>\r\n\r\n            <font face=\"Arial, Helvetica, Geneva, SunSans-Regular, sans-serif \">\r\n\r\n            <b> Description: </b>An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.\r\n            <br><br>\r\n\r\n            <b>Details:</b> To enable the details of this specific error message to be viewable on remote machines, please create a &lt;customErrors&gt; tag within a &quot;web.config&quot; configuration file located in the root directory of the current web application. This &lt;customErrors&gt; tag should then have its &quot;mode&quot; attribute set to &quot;Off&quot;.<br><br>\r\n\r\n            <table width=100% bgcolor=\"#ffffcc\">\r\n               <tr>\r\n                  <td>\r\n                      <code><pre>\r\n\r\n&lt;!-- Web.Config Configuration File --&gt;\r\n\r\n&lt;configuration&gt;\r\n    &lt;system.web&gt;\r\n        &lt;customErrors mode=&quot;Off&quot;/&gt;\r\n    &lt;/system.web&gt;\r\n&lt;/configuration&gt;</pre>                      </code>\r\n\r\n                  </td>\r\n               </tr>\r\n            </table>\r\n\r\n            <br>\r\n\r\n            <b>Notes:</b> The current error page you are seeing can be replaced by a custom error page by modifying the &quot;defaultRedirect&quot; attribute of the application&#39;s &lt;customErrors&gt; configuration tag to point to a custom error page URL.<br><br>\r\n\r\n            <table width=100% bgcolor=\"#ffffcc\">\r\n               <tr>\r\n                  <td>\r\n                      <code><pre>\r\n\r\n&lt;!-- Web.Config Configuration File --&gt;\r\n\r\n&lt;configuration&gt;\r\n    &lt;system.web&gt;\r\n        &lt;customErrors mode=&quot;RemoteOnly&quot; defaultRedirect=&quot;mycustompage.htm&quot;/&gt;\r\n    &lt;/system.web&gt;\r\n&lt;/configuration&gt;</pre>                      </code>\r\n\r\n                  </td>\r\n               </tr>\r\n            </table>\r\n\r\n            <br>\r\n\r\n            </font>\r\n\r\n    </body>\r\n</html>\r\n", "innerError"=>{"date"=>"2022-01-31T13:51:35", "request-id"=>"e6b0f7f2-5589-412e-a3b6-b6a06c0ae753", "client-request-id"=>"e6b0f7f2-5589-412e-a3b6-b6a06c0ae753"}}: 
production.log.1:I, [2022-01-31T13:51:35.796430 #892-1986900]  INFO -- : Started GET "/auth/failure?message=invalid_credentials&origin=https%3A%2F%2Fit-helpdesk.asmobil.ch%2F&strategy=microsoft_office365" for 62.2.199.150 at 2022-01-31 13:51:35 +0000
production.log.1:I, [2022-01-31T13:51:35.803699 #892-1986900]  INFO -- :   Parameters: {"message"=>"invalid_credentials", "origin"=>"https://it-helpdesk.asmobil.ch/", "strategy"=>"microsoft_office365"}
production.log.1:E, [2022-01-31T13:51:35.811356 #892-1986900] ERROR -- : Message from microsoft_office365: invalid_credentials (Exceptions::UnprocessableEntity)

Google gives me this:
https://docs.microsoft.com/en-us/graph/errors:
422 Unprocessable Entity Cannot process the request because it is semantically incorrect.

How can that be with just one user starting all of a sudden? Unfortunately our password restrictions are quite complex so it is the last thing to ask the user to change password.

Since this user is a highly productive agent, any help is very appreciated.