Share via


How to kill an active user session in Office 365

In situations involving compromised user accounts simply disabling an account is often not sufficient to mitigate the threat especially if the account is actively being using to send SPAM/Phishing email or to download data. There are three supported ways of revoking an active user’s session in Office 365.

The first option is found in the Office 365 Admin Center under Home > Active Users. Select a user and expand the OneDrive Settings section for that user. Select “Initiate” to perform a one-time sign-out for that user that revokes active sessions across Office 365 services including Exchange Online.

image

 

The second option to force logoff during an active user session in Office 365 to use Revoke-SPOUserSession cmdlet from the SharePoint Online PowerShell Module. This method is helpful for automating security incident response flows or when there is a need to revoke multiple users’ sessions.

image

 

The third option to force a user sign-out extends beyond Office 365 services to all active user sessions in any Azure AD application (thanks to Micah Linehan for recommending to include this option in the list). The Revoke-AzureADUserAllRefreshToken cmdlet is available in the AzureAD V2 PowerShell Module and expires a user's refresh token by modifying the user's token validity period.

image

Comments

  • Anonymous
    June 14, 2017
    nice onethanks
  • Anonymous
    June 21, 2017
    Excellent article, I have used the first method after extract the url that is generated by Initiate button (https://portal.office.com/admin/api/users//signoutOffice365) as an easy way to do it without have to navigate to Onedrive settings page.I need to test the other 2 methods anyway.Thanks Steve.