Disabling, blocking and revoking an M365 user from your tenant
There are times when you need to force a user or users to be disconnected for Microsoft 365 services like Exchange and SharePoint and block their access. When this happens, you need to complete the following tasks.
- Block the user’s sign in
- Reset the user’s password and force a change on next login
- Revoke their sessions to SharePoint and OneDrive
- Revoke or remove their AzureAD authentication tokens
These tasks can be done via the GUI, but it’s quick to have a script pre-paired. The in the event of a request, you can deploy the script and disable the user’s access. In this post I will go over one method I use. I assume you have a global administrator or a custom role to perform the actions, so will not cover that here.
The first step in the process is connecting to M365 services with PowerShell. The services we will need to connect are AzureAD, SharePoint Online and Exchange Online. Blocking these services will kill most users connections.
AzureAD can be done by following this link https://docs.microsoft.com/en-us/office365/enterprise/powershell/connect-to-office-365-powershell##connect-with-the-azure-active-directory-powershell-for-graph-module
SharePoint Online requires an install package which is found here: https://www.microsoft.com/en-us/download/details.aspx?id=35588 or you can directly install the PowerShell module shown below.
Exchange Online requires some new modules since MFA may be required. The module I use is a PowerShell install from here: https://www.powershellgallery.com/packages/ExchangeOnlineShell/2.0.3.3
The following code can be used to install the modules and set up the session.
Install-Module -Name AzureAD -AllowClobber -Force
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -AllowClobber -Force
Install-Module -Name ExchangeOnlineShell -AllowClobber -Force
Import-Module AzureAD, ExchangeOnlineShell
Next, I use a .Net assembly to create passwords, so that need to be imported.
```PowerShell
Reflection.Assembly::LoadWithPartialName("System.Web")
Now I will set up some variables for use in the script.
# Use to toggle mailbox move
$MoveMailbox = $false
# Use to toggle CSV input
$UseCSV = $true
# Tenant admin accoun
$LoginAcctName="admin@tenant.onmicrosoft.com"
# tenant name for SharePoint connections
$OrgName="tenant"
# User to disable when not using CSV
$AccountToDisable = "test@tenant.domain.local"
Now the next part will change depending on MFA requirements. If the account does not need MFA, a simple cache of the credentials can be done. If MFA is required, then each service may prompt on the first login. Just remove the credential options or you can use an App Password to get around it.
$LoginCred = Get-Credential
The next step is to connect to the Microsoft 365 services.
# Azure Active Directory
Connect-AzureAD -Credential $LoginCred
# SharePoint Online
Connect-SPOService -Url https://$OrgName-admin.sharepoint.com -Credential $LoginCred
# Exchange Online
Connect-ExchangeOnlineShell -Credential $LoginCred
Once connected, the script will then use a CSV for import or a single user.
# Reading in CSV if required. If not, the $AccountToDsiable will be used.
If ($UseCSV)
{
$userlist = import-Csv -Path .\\Users.csv
} else
{
$userlist = \[pscustomobject\]@{
Email = $AccountToDisable
}
}
The final part of the script is to disable, reset, revoke and move mailboxes.
foreach ($AccountToDisable in $userlist)
{
#Calling GeneratePassword Method
$PW = \[System.Web.Security.Membership\]::GeneratePassword(16,5)
Write-Output "Disabling, resetting the password for clearing login tokens for $($AccountToDisable.Email) and set the password to $PW"
# Disalbe Account
Get-AzureADUser -ObjectId $AccountToDisable.Email | Set-AzureADUser -AccountEnabled $false
# Reset Users Password
Set-AzureADUserPassword -ObjectId $AccountToDisable.Email -Password (ConvertTo-SecureString -AsPlainText $PW -Force) -ForceChangePasswordNextLogin $true
# Revoke sessions to SharePoint Online
Revoke-SPOUserSession -User $AccountToDisable.Email -Confirm:$false
# Revoke sesion tokens to AzureAD
Get-AzureADUser -ObjectId $AccountToDisable.Email | Revoke-AzureADUserAllRefreshToken
# Force Disconnection on Mailbox by moving mailbox
if ($MoveMailbox)
{
if ( ((get-mailbox -Identity $AccountToDisable.Email -ErrorAction ignore).Database).count -eq 1)
{
New-MoveRequest -Identity $AccountToDisable.Email -PrimaryOnly
}
}
}
The first part of the above snippet creates a password using the assembly. Then gets the user in question, disables the account and resets the password. Then we revoke the SharePoint Online sessions and all refresh tokens to AzureAD. This should drop the user’s access and force a new login. The last part is the mailbox move. This can be used to force outlook and other tools to reconnect. A mailbox move has the side effect of disconnecting the user, but the mail clients will reconnect and force a new login attempt.
Photo by Jose Fontano on Unsplash