Forum Discussion
Password Expiry/Reset
- Jan 07, 2021
Hi JamesCumberton,
Technically, you can. In our organization we wanted to force sign-out users when their accounts get disabled or passwords are reset/changed, and so instead of waiting for the Azure refresh token to expire we solved the situation by running the following cmdlet when that action occurs:
Set-MsolUser -UserPrincipalName $User -StsRefreshTokensValidFrom (get-date)The key is, you'll need an interceptor to trigger this action when the condition occurs. If your domain is federated, it's your your on-premise AD should have a interceptor that can catch when password change/password expiry/account disable happens, and then execute the MSOL cmdlet to revoke the Azure token (or like how we have done, place the script in an Azure runbook, create a webhook, and have the AD interceptor call the Webhook and pass the username).
Hi JamesCumberton,
Technically, you can. In our organization we wanted to force sign-out users when their accounts get disabled or passwords are reset/changed, and so instead of waiting for the Azure refresh token to expire we solved the situation by running the following cmdlet when that action occurs:
What interceptor are you referring to? I have ticket open with microsoft and they are telling me this can't be done and have no idea what you are referring to.
- boneyfrancisOct 23, 2023Iron Contributor
whitephnx2 The interceptor we use is MIM, but it can be anything. If you have an email notification whenever the password is reset, you can create a rule to Bcc a copy of that notification to a shared mailbox, and have Power Automate (for instance) revoke the token when a notification mail arrives.