Immediately revoke access to Office 365 applications
source link: https://www.michev.info/Blog/Post/1137/immediately-revoke-access-to-office-365-applications/comment-page-1
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Immediately revoke access to Office 365 applications
Being able to immediately revoke user’s access to applications is one of the most requested security related features for Office 365. Because of the different caching mechanisms employed in the service and/or the apps you use, accomplishing this can be a tricky task. As an example, you can refer to this article detailing the different factors that affect this in Exchange (Online). Modern authentication made things even messier, with the very long validity of the refresh tokens and the lack of proper methods to revoke them.
Almost a year ago, the SharePoint Online team gave us the opportunity to revoke access via the Revoke-SPOUserSession cmdlet. I blogged about this here. Now, at long last, we finally have global control over this via the AzureAD PowerShell module and Revoke-AzureADUserAllRefreshToken cmdlet. Here are few examples on how to use the cmdlet:
-
The only parameter the cmdlet accepts is -ObjectId, which isn’t really convenient (if only the folks at Microsoft listened to feedback):
C:\> Revoke-AzureADUserAllRefreshToken-ObjectId582b2b38-888c-4b85-8471-c9716cb4791bNo output will be returned unless an error occurs.
-
An easier way is to get the objectId via the Get-AzureADUser cmdlet and pipe it to Revoke-AzureADUserAllRefreshToken:
C:\>Get-AzureADUser-SearchStringhuku | Revoke-AzureADUserAllRefreshToken -
Similarly, you can do something like this:
C:\> Revoke-AzureADUserAllRefreshToken-ObjectId(Get-AzureADUser-SearchStringhuku).objectId -
Our you can get more creative like for example revoking access for all members of a particular group:
C:\>Get-AzureADGroup-SearchStringCloudSecGrp |Get-AzureADGroupMember| Revoke-AzureADUserAllRefreshToken
Another similar cmdlet exists, namely Revoke-AzureADSignedInUserAllRefreshToken. It’s used to revoke tokens for the currently signed in user, i.e. the one issuing the cmdlet. It doesn’t accept any parameters and can be used to for testing/development purposes.
Lastly, a word of caution. Although the cmdlet does revoke the refresh token, the access token remains valid and the user will be able to continue to access data until the browser is closed (or the app restarted). In other words, the user is not immediately forced to reauthenticate, but with the refresh token purged he will have to do so as soon as the access token has expired (max 1 hour). Or the app/browser is closed.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK