Mark Brezicky / / Categories: Best Practices, Technical View, Azure, Security, active directory

Revoke all user sessions for Azure AD and Office 365

Whether due to a phishing attack that created a compromised account, or you want to have a definitive offboarding process, everyone needs to be aware of the capabilities to immediately revoke and deny access to a specific user account.  Microsoft has several ways to accomplish this and even provides a full documented process for user terminations:

  • OneDrive Sign Out
  • SharePoint Online PowerShell
  • Azure AD PowerShell

 

Each has their own process and while there are limitations to the first two options, all three should be included in any script to ensure sufficient termination of access to an account.

OneDrive GUI

The first method provides a Graphical User Interface (GUI) method for those that are not comfortable with PowerShell.  The process involves going to the Office 365 Admin Center (https://admin.microsoft.com) and using the following process:

  1. In the admin center, go to the Users > Active users
  2. Select the key icon box next to the user's name, and then select Reset password.
  3. Enter a new password, and then select Reset. (Don't send it to them.)
  4. Select the user's name to go to their properties pane, and on the OneDrive tab, select Initiate sign-out

Markblog1

SharePoint PowerShell

Using SharePoint Online PowerShell is equivalent to the OneDrive GUI method; however, this can be scripted.  Use the following commands to connect to SharePoint Online PowerShell and revoke the users’ sessions across Office 365 and all devices.

Markblog2

Markblog3

Keep in mind, regardless of which method above is used, the refresh token is good for an hour by default, so the timeline depends on how much time is left on their token and whether they navigate out of their current webpage.  This is configurable to a minimum of 10 minutes.  The following chart shows the token types and the possible values.  Each of these can be configured using an Azure AD Policy (Get|Set|New-AzureADPolicy)

Markblog4

Enabling Technologies can help you properly prepare for moving to the cloud based on Microsoft Best Practices and utilizing a secure and productive environment.  You can check out more in the Security section of our website.

Work with our team of Cloud Computing Consultants who have done this so many times they know all of the “minefields” to prevent missteps.

Subscribe to Email Updates

Refine by

To expand the list, please click on the double arrows.

 

Search by Category or Author:

ref:_00D80KtFf._5000y1WwWQD:ref