How to revoke Microsoft Office 365 access in bulk
From time to time, organizations may have a situation where the IT admin is asked to block certain users from Microsoft Office 365 access. For example, you may want to reset passwords, or revoke access for certain employees who are already signed into various Microsoft 365 applications. Continue reading to learn all the steps to accomplish this or view the video below.
Using the Microsoft Admin Center to revoke user access
Blocking users and revoking their access can be done in the Microsoft admin center but revoking access for employees who are already signed into apps can only be done one by one in the admin center. This makes it a time-consuming and tedious process.
You should note that it can take up to 15 minutes for this process to complete regardless how it’s done. A user who is signed into an app will be able to immediately sign back in unless you have also blocked their sign-in status.
Steps to revoke user access in Microsoft Admin Center
- Go to the Microsoft Admin Center and choose Active users from menu on the left side.
- Click on the employee.
- Click on “Sign out of all sessions”.
- Choose to initiate a one-time event that will sign this person out of all Microsoft 365 sessions across all devices.
Limitations of revoking user access in the Microsoft Admin Center
While revoking user access in the Microsoft Admin Center can only be done one user at a time, blocking users from signing in can be applied to several users. However, if you have a very large use environment, again, this will have to be done one by one since you will need to search for each user to select them, taking time and effort. Another option would be to use a PowerShell script that you either write or find online.
How to use PowerShell to revoke Microsoft Office 365 access
Because of the Microsoft Admin Center’s limitations, many IT admins choose to use a PowerShell script to accomplish this job. However, this particular script will be complex. Your PowerShell script will need to connect to Microsoft Graph and you will need to include a cmdlet for revoking access and another for blocking users’ ability to sign in.
Revoking user access with PowerShell
- You’ll first need to connect to Entra ID (aka Azure AD) by running: Connect-MgGraph.
- Revoke access for a user with this cmdlet: Revoke-MgUserSignInSession.
Details on using this PowerShell cmdlet can be found on this page.
Limitations of revoking user access with PowerShell
Of course, you need to have a certain level of familiarity with PowerShell, ideally the ability to write complex scripts in order to take advantage of this option. You may be able to find a script online but there is no way to check that the script actually works as it should. There is always the threat of introducing errors into your environment. For those IT admins who want to avoid using PowerShell, it’s great to have another option.
Using a PowerShell alternative for an easier way to block Microsoft Office 365 access
Another way to revoke Microsoft Office 365 access is by using a software tool such as sapio365. With sapio365, you don’t need a PowerShell script, you only need to click.
Steps to revoke user access with sapio365
- Go to the Users module in sapio365.
- Select your users individually or you can select them all at once through a file. Using a file is more accurate and it helps ensure that you won’t miss any.
- To block users from signing in, click on the “Edit” button and set Sign-in to False.
- To revoke access, click on the “Revoke access” button.
You will see that these employees now have “Revoke Pending” showing next to their names, and their “Sign-in status” has been set to “Blocked”. You can review these users for accuracy and save. Once saved, the users will be kicked out of their sessions.
For added convenience you can select your users and choose the automated USER OFFBOARDING job in the job library on the left-hand side. This allows you to automate the offboarding process. When you click, you will see a dialog box with a user detail section where you can choose the same options, such as block sign-in, reset password and revoke access. You should note that the USER OFFBOARDING automated job provides many options and allows you to customize your process.
Benefits of revoking user access with sapio365
Revoking Microsoft Office 365 access is often part of the offboarding process. Offboarding multiple employees can be time-consuming, and you must make sure you don’t forget any steps as that may create security issues. Learn more about standardizing Microsoft 365 offboarding here.
There is an entire library of automated jobs in sapio365, created to make your life easier. Discover how using sapio365 to handle typical Microsoft 365 administration can save you hours of time every single day.
blog_sapio365
Please let me have your email address