Revoking access to users in Office 365 and Azure is an important part of user management. You may have noticed however that users are able to access content even after their accounts have been disabled.
This happens because of tokens. A token is a piece of encrypted data that can be exchanged between client and the server to authenticate and authorize a request. Two types of tokens are important for modern authentication in Office 365:
- Refresh token
- Access token
Refresh token
The refresh token is provided to a browser or application upon a successful login using Azure Active Directory. Clients use a valid refresh token to obtain new access/refresh token pairs when the current access token expires. This exchange succeeds if the user’s initial authentication is still valid and unchanged. Refresh tokens are valid for up to 90 days when not used. They are extended when used and, therefore, can remain valid until actively invalidated. These events invalidate refresh tokens:
- The user’s password has changed since the refresh token was issued
- The account is disabled, or roles and permissions have changed
- Conditional access policies apply, which restrict access to the resource the user is trying to access
- Conditional access policies apply, which explicitly limits the lifetime of a refresh token
- An administrator does an explicit revoke of the refresh token for a user using Powershell commands
Access token
An access token is a token provided after successful authentication and is valid for 1 hour. An access token can be used to provide access to a specific combination of user, client, and resource until the browser is closed (or the app restarted). An access token comes with a refresh token that can be used to extend this access tokens.
After the access token has expired and a valid refresh token is presented, an app or browser can get a new access token again valid for 1 hour.
Access tokens can not be revoked or invalidated before they expire.
Revoke access
By revoking all the refresh tokens of a user, it will basically log out the user everywhere in each application. It forces the user to re-authenticate (password prompt) as soon as the access token for a service has expired which takes a maximum of 1 hour. It is not uncommon that different access tokens expire at not exactly the same time. So you may see a popup from Onedrive before Outlook stops working or vice versa.
Via Powershell, an admin can revoke the refresh tokens AND the session cookies for open browser windows. This is the best way to immediately log out a user with the understanding that this could still mean waiting 10-15 minutes.
Revoke-AzureADUserAllRefreshToken
To invalidate refresh tokens and session cookies for a user, the following commands can be given.
First, connect to Azure Active Directory.
Connect-AzureAD
Second, issue this command.
Get-AzureADUser -SearchString user@yourdomain.com | Revoke-AzureADUserAllRefreshToken
Update 2022: Microsoft has included a button in Azure Portal to perform this same task via the web interface. Some users may find the web interface easier to use. It is located at the top of the Active Directory users panel, profile page, and is labeled “Revoke sessions”.
Requirements
This command is restricted to User Admin (or Global Admin) for unprivileged users and requires full Global Admin access for privileged users as a target. A privileged user is a user who has roles in Azure or Office 365.