This script will allow you to execute a recommended set of steps to fully re-secure and remediate a known breached account in Office 365. It peforms the following actions: Reset password (which kills the session). Remove mailbox delegates. Remove mailforwarding rules to external domains. Remove global mailforwarding property on mailbox. Enable MFA on the user's account. Set password complexity on the account to be high. Enable mailbox auditing. Produce Audit Log for the admin to review.
Changing password doesnt invalidate access tokens though, I think this is still not rolled in to the service. So as Nuno suggested, some additional actions might be required to immediatelly block access. I've seen also people disabling mail protocols (Set-CasMailbox) or changing the mailbox quota to something below the limit, etc.