Make sure they are using the UPN found in the O365 admin console. If a user has never logged into Retain before it will try to find the credentials in the exchangeuser.csv file. However, Retain login will fail if the exchangeuser.csv is empty or corrupt. Run the sync365 script to update the CSV files.
Once the user has logged in successfully their credentials are stored in Retain for subsequent logins.