No, I have not found a solution for this. Not sure how we did resolve this issue as it was too long ago.

Thanks. Its not what I was looking for, but at least I now know to look into other solutions such as building my own jar (using javax.mail.*) and services. The client in this case is not using office365 so this will not be an option.

We did get around this. We are now using the build in user 'communities-user-admin' instead of our own service account. We do like to understand why our own account did not work. Most likely because we did not add our own service account to the 'user-administrators' group role which has probably a setting to allow changes to users&groups. Note: we still cannot add node/change node for the the build in 'admin' account. Most likely this is a protected account and only 'admin' user can change 'admi...

@Mayank_Gandhi We already use the externalizer on the outgoing message, but the issue here is the validation when the user submit the result from the page after entering a new password. The customer face URL is a nice formatted URL, while the actual internal server URL inside the safe zone is a very different URL. The system will generate the ky value with the Externalizer generated URL while it validate the URL with the internal host name. This will never match in this case.

To add on, I came across this example that override the /j_security_check. We can look at this and adjust it accordingly to to implement our failed user count. Will try to do this in the coming days. https://helpx.adobe.com/experience-manager/using/twofactor64.html