A user's mailbox password is changed on an Exchange server and their smartphone, iPhone or Android, continues to sync email and allows the user to operate their email address. The behavior continues for up to two days in some cases.
Exchange 2013, 2016, Exchange+, Exchange Online, Office 365 (O365), iPhone, Android
A client requests that a user's mailbox password be changed or disabled for a disciplinary or termination reason. The password is changed, but the user can continue using Outlook or, more importantly, their smartphone to keep communicating with their company email address. This is a security concern and possible risk to the company's reputation.
Exchange ActiveSync typically communicates with devices as items are received, using Direct Push communication. However, when a password is changed, Active Directory can require 8 to 24 hours before the device receives the change.
Detailed information can be found on EAS device communication by visiting the following Microsoft Support link: https://support.microsoft.com/en-us/help/2612821/eas-devices-still-sync-after-an-account-is-disabled-or-a-password-is-c
As uncomfortable as it may be, requesting the employee delete the email account from their smartphone in the presence of the manager or human resources representative will ensure the account cannot be accessed. An alternative is to request the employee power cycle the smartphone device to force the authentication process and therefore recognize the change in password.
It is also best practice to close Outlook or log the user off of their workstation for a disciplinary or termination reason.