Revoke user access in an emergency in Microsoft Entra ID - Microsoft Entra ID (original) (raw)

Overview

Scenarios that could require an administrator to revoke all access for a user include compromised accounts, employee termination, and other insider threats. Depending on the complexity of the environment, administrators can take several steps to ensure access is revoked. In some scenarios, there could be a period between the initiation of access revocation and when access is effectively revoked.

To mitigate the risks, you must understand how tokens work. There are many kinds of tokens, which fall into one of the patterns discussed in this article.

Prerequisites

The PowerShell steps in this article require the following:

• Microsoft Graph PowerShell SDK installed. Install the required modules:

Install-Module Microsoft.Graph.Users  
Install-Module Microsoft.Graph.Users.Actions  
Install-Module Microsoft.Graph.Identity.DirectoryManagement  

• Sign in with an account that has the appropriate roles. Different steps require different roles:
  • Disable user accounts: User Administrator for non-admin users, or Privileged Authentication Administrator for admin accounts.
  • Disable devices: Cloud Device Administrator at minimum.
• Connect to Microsoft Graph with the required scopes:

Connect-MgGraph -Scopes "User.ReadWrite.All","Directory.AccessAsUser.All"  

Access tokens and refresh tokens

Access tokens and refresh tokens are frequently used with thick client applications, and also used in browser-based applications such as single page apps.

• When users authenticate to Microsoft Entra ID, part of Microsoft Entra, authorization policies are evaluated to determine if the user can be granted access to a specific resource.
• After authorization, Microsoft Entra ID issues an access token and a refresh token for the resource.
• If the authentication protocol allows, the app can silently reauthenticate the user by passing the refresh token to Microsoft Entra ID when the access token expires. By default, access tokens issued by Microsoft Entra ID last for 1 hour.
• Microsoft Entra ID then reevaluates its authorization policies. If the user is still authorized, Microsoft Entra ID issues a new access token and refresh token.

Access tokens might pose a security risk if they need to be revoked within a period shorter than their typical one-hour lifespan. For this reason, Microsoft is actively working to bring continuous access evaluation to Office 365 applications, which helps ensure invalidation of access tokens in near real time.

Session tokens (cookies)

Most browser-based applications use session tokens instead of access and refresh tokens.

• When a user opens a browser and authenticates to an application via Microsoft Entra ID, the user receives two session tokens. One from Microsoft Entra ID and another from the application.
• After the application issues its own session token, the application controls access based on its authorization policies.
• The authorization policies of Microsoft Entra ID are reevaluated as often as the application sends the user back to Microsoft Entra ID. Reevaluation usually happens silently, though the frequency depends on how the application is configured. It's possible that the app might never send the user back to Microsoft Entra ID as long as the session token is valid.
• To revoke a session token, the application must revoke access based on its own authorization policies. Microsoft Entra ID can't directly revoke a session token issued by an application.

Revoke access for a user in the hybrid environment

For a hybrid environment with on-premises Active Directory synchronized with Microsoft Entra ID, Microsoft recommends that IT admins take the following actions. If you have a Microsoft Entra-only environment, skip to the Microsoft Entra environment section.

On-premises Active Directory environment

As an admin in the Active Directory, connect to your on-premises network, open PowerShell, and take the following actions:

1. Disable the user in Active Directory. Refer to Disable-ADAccount.

Disable-ADAccount -Identity johndoe  

1. Reset the user's password twice in the Active Directory. Refer to Set-ADAccountPassword.
   Note
   The reason for changing a user's password twice is to mitigate the risk of pass-the-hash, especially if there are delays in on-premises password replication. If you can safely assume this account isn't compromised, you might reset the password only once.
   Important
   Don't use the example passwords in the following cmdlets. Be sure to change the passwords to a random string.

Set-ADAccountPassword -Identity johndoe -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "p@ssw0rd1" -Force)  
Set-ADAccountPassword -Identity johndoe -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "p@ssw0rd2" -Force)  

Microsoft Entra environment

As an administrator in Microsoft Entra ID, open PowerShell, connect to Microsoft Graph with the required scopes (see Prerequisites), and take the following actions:

1. Disable the user in Microsoft Entra ID. Refer to Update-MgUser.

$User = Get-MgUser -Search UserPrincipalName:'johndoe@contoso.com' -ConsistencyLevel eventual  
Update-MgUser -UserId <span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow><mi>U</mi><mi>s</mi><mi>e</mi><mi>r</mi><mi mathvariant="normal">.</mi><mi>I</mi><mi>d</mi><mo>−</mo><mi>A</mi><mi>c</mi><mi>c</mi><mi>o</mi><mi>u</mi><mi>n</mi><mi>t</mi><mi>E</mi><mi>n</mi><mi>a</mi><mi>b</mi><mi>l</mi><mi>e</mi><mi>d</mi><mo>:</mo></mrow><annotation encoding="application/x-tex">User.Id -AccountEnabled:</annotation></semantics></math></span><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.7778em;vertical-align:-0.0833em;"></span><span class="mord mathnormal" style="margin-right:0.10903em;">U</span><span class="mord mathnormal" style="margin-right:0.02778em;">ser</span><span class="mord">.</span><span class="mord mathnormal" style="margin-right:0.07847em;">I</span><span class="mord mathnormal">d</span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mbin">−</span><span class="mspace" style="margin-right:0.2222em;"></span></span><span class="base"><span class="strut" style="height:0.6944em;"></span><span class="mord mathnormal">A</span><span class="mord mathnormal">cco</span><span class="mord mathnormal">u</span><span class="mord mathnormal">n</span><span class="mord mathnormal" style="margin-right:0.05764em;">tE</span><span class="mord mathnormal">nab</span><span class="mord mathnormal" style="margin-right:0.01968em;">l</span><span class="mord mathnormal">e</span><span class="mord mathnormal">d</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">:</span></span></span></span>false  

1. Revoke the user's Microsoft Entra ID refresh tokens. Refer to Revoke-MgUserSignInSession.

Revoke-MgUserSignInSession -UserId $User.Id  

1. Disable the user's devices. Refer to Get-MgUserRegisteredDevice.

Get-MgUserRegisteredDevice -UserId $User.Id -All | ForEach-Object {  
    Update-MgDevice -DeviceId <span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow><msub><mrow></mrow><mi mathvariant="normal">.</mi></msub><mi>I</mi><mi>d</mi><mo>−</mo><mi>A</mi><mi>c</mi><mi>c</mi><mi>o</mi><mi>u</mi><mi>n</mi><mi>t</mi><mi>E</mi><mi>n</mi><mi>a</mi><mi>b</mi><mi>l</mi><mi>e</mi><mi>d</mi><mo>:</mo></mrow><annotation encoding="application/x-tex">_.Id -AccountEnabled:</annotation></semantics></math></span><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.8444em;vertical-align:-0.15em;"></span><span class="mord"><span></span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:-0.0761em;"><span style="top:-2.55em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">.</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mord mathnormal" style="margin-right:0.07847em;">I</span><span class="mord mathnormal">d</span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mbin">−</span><span class="mspace" style="margin-right:0.2222em;"></span></span><span class="base"><span class="strut" style="height:0.6944em;"></span><span class="mord mathnormal">A</span><span class="mord mathnormal">cco</span><span class="mord mathnormal">u</span><span class="mord mathnormal">n</span><span class="mord mathnormal" style="margin-right:0.05764em;">tE</span><span class="mord mathnormal">nab</span><span class="mord mathnormal" style="margin-right:0.01968em;">l</span><span class="mord mathnormal">e</span><span class="mord mathnormal">d</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">:</span></span></span></span>false  
}  

Note

Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024. To learn more, read the deprecation update. After this date, support for these modules are limited to migration assistance to Microsoft Graph PowerShell SDK and security fixes. The deprecated modules will continue to function through March, 30 2025.

We recommend migrating to Microsoft Graph PowerShell to interact with Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption after June 30, 2024.

When access is revoked

After admins take the above steps, the user can't gain new tokens for any application tied to Microsoft Entra ID. The elapsed time between revocation and the user losing their access depends on how the application is granting access:

• For applications using access tokens, the user loses access when the access token expires.
• For applications that use session tokens, the existing sessions end as soon as the token expires. If the disabled state of the user is synchronized to the application, the application can automatically revoke the user's existing sessions if it's configured to do so. The time it takes depends on the frequency of synchronization between the application and Microsoft Entra ID.

Best practices

• Deploy an automated provisioning and deprovisioning solution. Deprovisioning users from applications is an effective way of revoking access, especially for applications that use sessions tokens or allow users to sign in directly without a Microsoft Entra or Windows Server AD token. Develop a process to also deprovision users to apps that don't support automatic provisioning and deprovisioning. Ensure applications revoke their own session tokens and stop accepting Microsoft Entra access tokens even if they're still valid.
  • Use Microsoft Entra app provisioning. Microsoft Entra app provisioning typically runs automatically every 20-40 minutes. Configure Microsoft Entra provisioning to deprovision or deactivate users in SaaS and on-premises applications. If you were using Microsoft Identity Manager to automate the deprovisioning of users from on-premises applications, you can use Microsoft Entra app provisioning to reach on-premises applications with a SQL database, non-AD directory server or other connectors.
  • For on-premises applications using Windows Server AD, you can configure Microsoft Entra Lifecycle Workflows to update users in AD (preview) when employees leave.
  • Identify and develop a process for applications that require manual deprovisioning. For example, the automated ServiceNow ticket creation with Microsoft Entra Entitlement Management can open a ticket when employees lose access. Ensure admins and application owners can quickly run the required manual tasks to deprovision the user from these apps when needed.
• Manage your devices and applications with Microsoft Intune. Intune-managed devices can be reset to factory settings. If the device is unmanaged, you can wipe the corporate data from managed apps. These processes are effective for removing potentially sensitive data from end users' devices. However, for either process to be triggered, the device must be connected to the internet. If the device is offline, it still has access to any locally stored data.

Note

Data on the device can't be recovered after a wipe.

• Use Microsoft Defender for Cloud Apps to block data download when appropriate. If the data can only be accessed online, organizations can monitor sessions and achieve real-time policy enforcement.
• Use Continuous Access Evaluation (CAE) in Microsoft Entra ID. CAE allows admins to revoke the session tokens and access tokens for applications that are CAE capable.

Next steps

• Secure access practices for Microsoft Entra administrators
• Add or update user profile information
• Remove or Delete a former employee