Forum Discussion
A cache password on a mobile device is still accessing Office 365 Emails
There are two types of token issued when user authenticates to O365 (via Modern auth that is): an access token, the one actually granting the access, and a refresh token, used to "renew" access. The cmdlet and the admin UI button revokes the refresh token, so that no new access tokens can be renewed unless the user logs back in. Any valid access token remain active though, and their lifetime is 1 hour, so that's the worst case scenario.
More info for example here: https://support.office.com/en-us/article/Session-timeouts-for-Office-365-37a5c116-5b07-4f70-8333-5b86fd2c3c40?ui=en-US&rs=en-US&ad=US
Revoking the refresh token is the best solution, however it does NOT revoke any access tokens. So worse case scenario, he has 1 hour access left. Blocking the protocols/disabling the account is another option.
Can you please explain what you mean by revoking the access token not actually revoking the access token?