Forum Discussion
Fastest workflow to block a phished user?
If a user gets phished, or his credentials get leaked - what's the first thing you do, before you start investigating the issue? A few questions concerning this issue: - Is it enough to block the...
EmekaNgene, thank you.
I think you misunderstood question 2): the question was about blocking a user in Microsoft admin center (https://admin.microsoft.com/ -> Active users -> select user -> Block sign-in) - not about restricted users. If I block a user through Microsoft admin center this user is not added to the restricted users. Thus my question: is blocking the sign-in of a user restricting him from sending e-mail, in case he has an active session.
Follow-up question: is it possible to manually add a user to the restricted users list, if I suspect him to be phished?
Hello Kiril
1) Is blocking the sign-in of a user restricting him from sending e-mail, in case he has an active session.
It won't restrict him from sending email or stop active sessions, it will stop further sign in into the mailbox. To stop active sessions you will have to sign him out from all active session using the Sign out of all sessions tab under the accounts tab in the users' properties plane in the admin center
Within an hour - or after he leaves the current Microsoft 365 page he was on - he prompted to sign in again. An access token is good for an hour, so the timeline depends on how much time is left on that token, and whether he navigates out of their current webpage.
However If the he is in Outlook on the web, just clicking around in their mailbox, he may not be kicked out immediately. As soon as he select a different tile, such as OneDrive, or refresh their browser, the sign-out is initiated.
2) Follow-up question: is it possible to manually add a user to the restricted users list, if I suspect him to be phished?
It is not possible to add a user manually to restricted users list.
1) Is blocking the sign-in of a user restricting him from sending e-mail, in case he has an active session.
It won't restrict him from sending email or stop active sessions, it will stop further sign in into the mailbox. To stop active sessions you will have to sign him out from all active session using the Sign out of all sessions tab under the accounts tab in the users' properties plane in the admin center
Within an hour - or after he leaves the current Microsoft 365 page he was on - he prompted to sign in again. An access token is good for an hour, so the timeline depends on how much time is left on that token, and whether he navigates out of their current webpage.
However If the he is in Outlook on the web, just clicking around in their mailbox, he may not be kicked out immediately. As soon as he select a different tile, such as OneDrive, or refresh their browser, the sign-out is initiated.
2) Follow-up question: is it possible to manually add a user to the restricted users list, if I suspect him to be phished?
It is not possible to add a user manually to restricted users list.