A cache password on a mobile device is still accessing Office 365 Emails

Hi I have been asked to advise a client who is convinced that although a former user's password has been reset; they appear to be both accessing, and forwarding their emails via their own mobile...

exchange

office 365

security

VasilMichev
Aug 08, 2017
There are two types of token issued when user authenticates to O365 (via Modern auth that is): an access token, the one actually granting the access, and a refresh token, used to "renew" access. The cmdlet and the admin UI button revokes the refresh token, so that no new access tokens can be renewed unless the user logs back in. Any valid access token remain active though, and their lifetime is 1 hour, so that's the worst case scenario.

More info for example here: https://support.office.com/en-us/article/Session-timeouts-for-Office-365-37a5c116-5b07-4f70-8333-5b86fd2c3c40?ui=en-US&rs=en-US&ad=US

VasilMichev

MVP

Aug 07, 2017

Revoking the refresh token is the best solution, however it does NOT revoke any access tokens. So worse case scenario, he has 1 hour access left. Blocking the protocols/disabling the account is another option.

Geoffrey Bronner

Iron Contributor

Aug 07, 2017

I think you could also login to the account and go to Options / General / Mobile Devices and remove all devices from the account? Then someone would need to be able to login to add a device back.

Daniel Westerdale
Iron Contributor
Aug 07, 2017
@geoffrey

I have forwarded your reply to my client and we'll check when I get in tomorrow morning.

Forum Discussion

A cache password on a mobile device is still accessing Office 365 Emails

Resources