Blocking Access to Office 365 for an Ex-employee

Office 365 Apps Hero

Easing Ex-Employees Out of Office 365

It is a natural part of business for employees to leave, one way or another. Some leave of their own volition, some receive encouragement to seek new challenges elsewhere, and some need to be marched out the door by a large security guard without their feet touching the ground.

In the on-premises world, your next step is probably to disable the ex-employee’s Active Directory account and impose similar blocks in any other authorization systems that the person might use to access company assets, including keycard access to buildings. Many companies have scripts to automate the steps to secure systems following an employee’s departure.

Organizations need similar processes when Office 365 is in the picture. With the growth in mobile apps and devices, it is not enough to simply change a password or disable an account. If someone is leaving the company, you need to consider at least four actions:

  1. Change the account password.
  2. Force sign-outs across all Office 365 applications.
  3. Wipe mobile devices using ActiveSync (or the Clear-MobileDevice cmdlet) or Intune (which offers both full and selective wipes).
  4. Recover and preserve data. For example, by making the user’s mailbox inactive.

If your company provides devices to users, you can add recovery of those devices to the list along with other corporate paraphernalia like ID badges and smartcards. And then there is the small matter of ensuring that you do not pay for licenses (Office 365, Azure AD Premium, add-ons, etc.) for ex-employees for longer than necessary.

Resetting Passwords and Blocking Accounts

It has always been relatively easy to change someone’s password using PowerShell or the Office 365 Admin Center. Find the user account, edit its properties and select Reset Password (Figure 1). The only thing to remember when dealing with an account belonging to an ex-employee is not to send them the message with the new password after you receive it from Office 365.

Changing Office 365 password
Figure 1: Changing a password for an Office 365 account (image credit: Tony Redmond)

You can also go to the Sign-in status section of the user properties and set it to Sign-in blocked to make sure that Office 365 will allow no further connections to the account. If the user tries to access the account, even with the new password, they will see that their account is locked (Figure 2).

Blocked Office 365 User
Figure 2: A user account learns that their account is blocked (image credit: Tony Redmond)

The Forced Sign-Out Option Lurking in OneDrive Settings

Changing a password and blocking sign-in to the account is usually enough when people have an amicable exit from the company. But if you need to bring the hammer down immediately to block someone’s access to Office 365, you need to force a sign-out. This is especially so in an era of pervasive mobile devices where you want an all-points bulletin to go everywhere to prevent access to company information.

You can force an immediate sign-out using the Office 365 Admin Center or PowerShell. The only problem is that Microsoft buried the ability to force a sign-out for an account in the OneDrive Settings section of the properties for an account (Figure 3) rather than a prominent function like the Reset Password button.

Office 365 Forced Sign-Out
Figure 3: Where the forced sign-out function lives in OneDrive settings (image credit: Tony Redmond)

Apart from obscuring this very valuable feature from administrators, burying the ability to force a sign-out in OneDrive Settings means that it is inaccessible if the person never uses OneDrive. The first time someone goes near OneDrive, SharePoint provisions that user’s site and all is well. But if they never use OneDrive and do not have a site, the Admin Center will not display any OneDrive settings.

Revoking Tokens

In most cases, the OneDrive site for a user exists and you can force an account to sign-out through the Office 365 Admin Center. If not, or when you have several accounts to process at the same time, you can use the Revoke-AzureADUserAllRefreshToken cmdlet, which is part of the Azure Active Directory PowerShell module (V2). This is the cmdlet called by the Office 365 Admin Center when it forces a user to sign-out. For example:

[PS] C:\> Revoke-AzureADUserAllRefreshToken -ObjectId [email protected]

The cmdlet works by invalidating all the refresh tokens used to obtain new access tokens for Office 365 applications by setting their expiry to the current date and time. When a user authenticates to connect to an Office 365 application, they create a session with that application. The session receives an access token and a refresh token from Azure Active Directory. An Office 365 access token is valid for an hour (the period can be changed if needed). When that period elapses, an automatic reauthentication process kicks in to get a new access token to allow the session to continue. This exchange can happen if the refresh token is still valid and the account credentials are the same.

Because the forced sign-out invalidates the refresh tokens, the next time a session to an Office 365 application tries to use its refresh token to renew its access, it discovers that the token has expired and so forces the user to reauthenticate. As you have already changed the account password and blocked access, the user cannot reauthenticate.

The exact time when an application enforces the requirement to reauthenticate depends on how much longer the access token for the session is valid when you start the sign-out process and the actions taken by the user. If they stay in the same page, the sign-out happens when the access token expires. On the other hand, the sign-out happens at once if they move to another page within the application, refresh the browser, or open another Office 365 application. This support article has more information about Office 365 access and refresh tokens.

What is important is that once you start the forced sign-out process, the user rapidly loses access to applications. You are guaranteed that all access will finish within an hour.

Easy to Do, If You Know How

The good news is that it is very easy to block user access to Office 365. That is, if you know where to find the forced sign-out feature in the Office 365 Admin Center or know about the PowerShell cmdlet. Now that you do know, it should be all plain sailing from here. All you need to do now is figure out the rest of the process to wipe mobile devices, recover data, reassign or remove licenses, and all the other details involved in handling the transition of people out of an organization.

If you are at the Ignite 2017 conference in Orlando this month, be sure to drop by one of my sessions!

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.