Being able to immediately revoke user’s access to applications is one of the most requested security related features for Office 365. Because of the different caching mechanisms employed in the service and/or the apps you use, accomplishing this can be a tricky task. As an example, you can refer to this article detailing the different factors that affect this in Exchange (Online). Modern authentication made things even messier, with the very long validity of the refresh tokens and the lack of proper methods to revoke them.
Almost a year ago, the SharePoint Online team gave us the opportunity to revoke access via the Revoke-SPOUserSession cmdlet. I blogged about this here. Now, at long last, we finally have global control over this via the AzureAD PowerShell module and Revoke-AzureADUserAllRefreshToken cmdlet. Here are few examples on how to use the cmdlet:
The only parameter the cmdlet accepts is -ObjectId, which isn’t really convenient (if only the folks at Microsoft listened to feedback):
C:\> Revoke-AzureADUserAllRefreshToken -ObjectId 582b2b38-888c-4b85-8471-c9716cb4791b
No output will be returned unless an error occurs.
An easier way is to get the objectId via the Get-AzureADUser cmdlet and pipe it to Revoke-AzureADUserAllRefreshToken:
C:\> Get-AzureADUser -SearchString huku | Revoke-AzureADUserAllRefreshToken
Similarly, you can do something like this:
C:\> Revoke-AzureADUserAllRefreshToken -ObjectId (Get-AzureADUser -SearchString huku).objectId
Our you can get more creative like for example revoking access for all members of a particular group:
C:\> Get-AzureADGroup -SearchString CloudSecGrp | Get-AzureADGroupMember | Revoke-AzureADUserAllRefreshToken
Another similar cmdlet exists, namely Revoke-AzureADSignedInUserAllRefreshToken. It’s used to revoke tokens for the currently signed in user, i.e. the one issuing the cmdlet. It doesn’t accept any parameters and can be used to for testing/development purposes.
Lastly, a word of caution. Although the cmdlet does revoke the refresh token, the access token remains valid and the user will be able to continue to access data until the browser is closed (or the app restarted). In other words, the user is not immediately forced to reauthenticate, but with the refresh token purged he will have to do so as soon as the access token has expired (max 1 hour). Or the app/browser is closed.