Forum Discussion
Solved
Disabled teams account can still log in
Hey i am noticing a behaviour that i can reproduce right now that is very disturbing to my users/managers.
We are having to terminate people due to covid, but we want to offer the ability for them to come back one day, so the accounts are not being deleted, merely disabled.
I have noticed that if a user is still logged into teams, even though their AD account is disabled, and office365 says "blocked" they can still get in and attend team meetings! i can even send an email calendar invite to a meeting and the user can join that meeting. Tested 1 hour after they were disabled in AD and blocked in office 365.
obviously this is a huge problem!!! i have read other posts that an "active sync" connection may be left open for possibly days. Is this what is happening? it seems more specific to exchange though.
ref: https://old.reddit.com/r/sysadmin/comments/8jlqmn/terminated_employee_sent_email_an_hour_after/
Is there a setting somewhere or a way to force disabled users to logout? i even changed the users password and they can still open teams and it just auto logs them in.
looks like i was able to block the attempt after some time now with the following command:
Revoke-AzureADUserAllRefreshToken -ObjectId user@domain.ca
ref: https://www.petri.com/blocking-access-office-365-user
of course you have to connect to azure first with powershell.
Install-Module AzureAD -Force
Import-Module AzureAD
Connect-AzureAD
The most secure way to manage this would be to change their passwords at the same time when blocking the accounts.
SuleimanDC Revoke the sessions from Azure AD account page, this will kill all the O365 active sessions by revoking the tokens
windows2000A quick workaround for this solution could be turning off their Teams License so they are not able to use Microsoft team in desktop/Mobile/could version since if they try to login they will get no license / active Team license.
I hope this will work and resolve your issue!
I tried that about three weeks ago and it worked, I tried it again yesterday and it didn't work. I think you need to revoke licences
looks like i was able to block the attempt after some time now with the following command:
Revoke-AzureADUserAllRefreshToken -ObjectId user@domain.ca
ref: https://www.petri.com/blocking-access-office-365-user
of course you have to connect to azure first with powershell.
Install-Module AzureAD -Force
Import-Module AzureAD
Connect-AzureADDisabling a user doesn't immediately terminate access, this has been discussed in numerous threads/blog posts which you can look up for additional details. TL;DR version is that users will have access until the tokens expire, and if you want to speed things up a bit you can revoke tokens via the O365 admin portal or the Revoke-AzureADUserAllRefreshToken cmdlet.
VasilMichevIf it was in "numerous threads" i would have found it this morning easily by searching. There was nothing specific to teams. Even this command I found is for azure AD. I would think office 365 would behave better. A blocked user is a blocked user and therefor should force a disconnect at that time. Stupid that i have to run manual commands.
