Forum Discussion
Automating MFA Token Invalidation Upon User Account Disablement
Thanks for your inputs.
The IDM connector does not natively support token revocation, so we may need to trigger a PowerShell script to invoke revokeSignInSessions to achieve this functionality. Also, transitioning from the current on-prem disable to direct Entra ID disable requires careful planning and due diligence.
How does CAE help in this scenario? https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation Can it be effectively implemented for Office 365 apps? What are the key steps and potential challenges to consider?
Hi @kaselva,
CAE is already helping you behind the scenes.
As described in the following link, there's two "halves" to CAE: Critical event (the one of relevance to this discussion) and access policy evaluation (not relevant). In both cases, it only works where the platform/application is coded to leverage the CAE APIs, but fortunately, key Microsoft platforms like Exchange Online, SharePoint, etc. are.
Note that account disablement is one of the critical events listed in this article, and then pair that up with Microsoft's recommended actions for terminating tokens, where one of the three actions is account disablement:
Obviously, you can't directly disable a synchronised Azure account - that has to flow via AAD Connect, but you can revoke the sign-in sessions and registered devices.
It's not surprising that your IDM Graph-native connector doesn't expose this functionality, but you should be able to author a custom connector that can take on this requirement (in Microsoft Identity Manager, this would be via the PowerShell connector type).
Cheers,
Lain