Azure AD Hardening- Revoke disabled sign-in tokens

Read Time:2 Minute, 0 Second

As part of my efforts to harden clients’ azure accounts, We need to remove all the sign-in tokens from the disabled account. Why? That’s very simple, If you don’t, then any signed-in device still has access. For example, I terminate a user, I block their sign-in in office 365. It may take up to 24 hours for all the tokens to be blocked. That means the user is able to access their emails for possibly 24 hours. They could steal a lot of data. So, we tell all the tokens to revoke now. What this does is the next time Outlook tries to grab emails, the token it is using is not recognized. If you have blocked the sign-in, that’s it for them to get new emails. This doesn’t stop them from decoding the pst files and things of that nature, Other security measures are needed for that. As part of the hardening steps, I revoke all disabled users’ refresh tokens. It’s a single command and it’s easy to do. This assumes you have the AzureAD module installed, imported, and connected.

Get-AzureADUser | where-object {$_.AccountEnabled -eq $False} | foreach-object {Revoke-AzureADUserAllRefreshToken -ObjectId $_.ObjectId}

What we are doing here is we are grabbing all the Azure AD users with Get-AzureADUser. Then we are searching just for the disabled accounts with the Where-Object command. Then we start looping through those users with our Foreach-Object command. Each disabled user will get the Revoke-AzureADUserAllRefreshToken command run against it. Notice the $_. This means the previous object. This will refresh the tokens to reject the previous token. So, when the system refreshes, it will be blocked and the user will have to sign back in. However, if you disabled them, they can’t get back in.

You Might Also Like

Leave a Reply

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.