Thursday, July 5, 2018

Turn an Office 365 user ‘off’ with PowerShell


A common situation in the field is when a user or a business discovers a user account has been compromised or they no longer wish that user to have access to Office 365.

Of course they can go into the Office 365 Admin Center and block the user’s sign-in but the user may still have access via mobile devices and active browser sessions. So, fully suspending a user’s account as soon as possible requires more than just disabling the login.

Anything that requires a sequence of steps is better completed using a script and this is what you’ll find I have created at:

The script requires you to already be connected to Azure AD, Exchange Online and SharePoint Online. It then goes through the following:

- block user login to Office 365

- invalidates refresh tokens for applications

- disables Exchange features like OWA, POP, IMAP, etc

Importantly, it doesn’t change the users password because this script is designed to be reversible. That is, suspicious activity has been detected on the account and you want to suspend access to do some checking. Hopefully, everything is good and you can simply re-enable when checking is complete. If not, further action can be taken.

Importantly, access to all Office 365 information is not immediately revoked even using this script. By default, mobile applications use a token for authentication that generally lasts one hour before it is renewed. So the worst case is that the token is renewed just before you suspend the account using the script. It will take a further one hour until the token renewal is required and the lock out is enforced. That means the account could still be active on a mobile device for up to one hour after suspension.

Now you can change this one hour time period but that requires using a preview version of the Azure AD PowerShell modules and I’ll leave that to you if you want to go down that route. You can find out more here:

Configurable token lifetimes in Azure AD (Public preview)

There are some other device management commands I have come across that may also be handy here but for now the script should do the job.

Remember to continue to check on my GitHub repo to see when I update and improve this script. of course, any feedback is welcome on how the script can be improved or if you find any errors.