Immediately revoke access to Office 365 applications

Being able to immediately revoke user’s access to applications is one of the most requested security related features for Office 365. Because of the different caching mechanisms employed in the service and/or the apps you use, accomplishing this can be a tricky task. As an example, you can refer to this article detailing the different factors that affect this in Exchange (Online). Modern authentication made things even messier, with the very long validity of the refresh tokens and the lack of proper methods to revoke them.

Almost a year ago, the SharePoint Online team gave us the opportunity to revoke access via the Revoke-SPOUserSession cmdlet. I blogged about this here. Now, at long last, we finally have global control over this via the AzureAD PowerShell module and Revoke-AzureADUserAllRefreshToken cmdlet. Here are few examples on how to use the cmdlet:

  • The only parameter the cmdlet accepts is -ObjectId, which isn’t really convenient (if only the folks at Microsoft listened to feedback):
    C:\> Revoke-AzureADUserAllRefreshToken -ObjectId 582b2b38-888c-4b85-8471-c9716cb4791b

    No output will be returned unless an error occurs.

  • An easier way is to get the objectId via the Get-AzureADUser cmdlet and pipe it to Revoke-AzureADUserAllRefreshToken:
    C:\> Get-AzureADUser -SearchString huku | Revoke-AzureADUserAllRefreshToken
  • Similarly, you can do something like this:
    C:\> Revoke-AzureADUserAllRefreshToken -ObjectId (Get-AzureADUser -SearchString huku).objectId
  • Our you can get more creative like for example revoking access for all members of a particular group:
    C:\> Get-AzureADGroup -SearchString CloudSecGrp | Get-AzureADGroupMember | Revoke-AzureADUserAllRefreshToken

Another similar cmdlet exists, namely Revoke-AzureADSignedInUserAllRefreshToken. It’s used to revoke tokens for the currently signed in user, i.e. the one issuing the cmdlet. It doesn’t accept any parameters and can be used to for testing/development purposes.

Lastly, a word of caution. Although the cmdlet does revoke the refresh token, the access token remains valid and the user will be able to continue to access data until the browser is closed (or the app restarted). In other words, the user is not immediately forced to reauthenticate, but with the refresh token purged he will have to do so as soon as the access token has expired (max 1 hour). Or the app/browser is closed.

This entry was posted in Office 365, PowerShell. Bookmark the permalink.

6 Responses to Immediately revoke access to Office 365 applications

  1. Fabio Negreiros says:

    Vasil, good morning!

    Do you know if it’s possible to decrease the token expiration time? I know that it takes 1 hour max, but my client want’s it in 10 minutes.

  2. Al says:

    Thanks for this great article.
    Do you know what role is required to run this cmdlet?

    • Vasil Michev says:

      I’ve only tested it with Global admin, but I imagine it might work with User admin permissions as well.

    • Carl Knecht says:

      I just ran through every single role in a test tenant in order to determine this. It’s Company Administrator (AKA Global Admin) only. You would think Security Administrator and/or User Account Administrator would have this ability, but that’s not the case as far as I can tell.

Leave a Reply

Your email address will not be published. Required fields are marked *