Forum Discussion
A cache password on a mobile device is still accessing Office 365 Emails
Hi
I have been asked to advise a client who is convinced that although a former user's password has been reset; they appear to be both accessing, and forwarding their emails via their own mobile. Note the management still want to access the mailbox so I won't be disabling the account just yet.
Actions so far:
- The client has disabled on the protocals for the user e.g. Pop3, Imap ect
- I have initiated the OneDrive sign out as described in the link below although this has a caveat esp Office Web Access.
https://support.office.com/en-gb/article/Remove-a-former-employee-from-Office-365-44d96212-4d90-4027-9aa9-a95eddb367d1?ui=en-US&rs=en-GB&ad=GB&fromAR=1#bkmk_mobile
As anyone had similar experiences? Did you have to use PowerShell to resolve it?
Daniel
There are two types of token issued when user authenticates to O365 (via Modern auth that is): an access token, the one actually granting the access, and a refresh token, used to "renew" access. The cmdlet and the admin UI button revokes the refresh token, so that no new access tokens can be renewed unless the user logs back in. Any valid access token remain active though, and their lifetime is 1 hour, so that's the worst case scenario.
More info for example here: https://support.office.com/en-us/article/Session-timeouts-for-Office-365-37a5c116-5b07-4f70-8333-5b86fd2c3c40?ui=en-US&rs=en-US&ad=US
7 Replies
Revoking the refresh token is the best solution, however it does NOT revoke any access tokens. So worse case scenario, he has 1 hour access left. Blocking the protocols/disabling the account is another option.
- @vasil
Can you please explain what you mean by revoking the access token not actually revoking the access token?There are two types of token issued when user authenticates to O365 (via Modern auth that is): an access token, the one actually granting the access, and a refresh token, used to "renew" access. The cmdlet and the admin UI button revokes the refresh token, so that no new access tokens can be renewed unless the user logs back in. Any valid access token remain active though, and their lifetime is 1 hour, so that's the worst case scenario.
More info for example here: https://support.office.com/en-us/article/Session-timeouts-for-Office-365-37a5c116-5b07-4f70-8333-5b86fd2c3c40?ui=en-US&rs=en-US&ad=US
- Hi
Can you please explain what you mean by revoking the access token not actually revoking the access token? - I think you could also login to the account and go to Options / General / Mobile Devices and remove all devices from the account? Then someone would need to be able to login to add a device back.
- @geoffrey
I have forwarded your reply to my client and we'll check when I get in tomorrow morning.
