Security Issue

Bronze Contributor

We had an employee that we set their account to expire on November 30th. Today, we find that they were still able to access their email via their personal Windows phone. I did an Audit Log search and there is no activity for that after their account expired on 11/30 and today.

How long are credentials cached on phones?

What do I need to do as an Admin for Office 365 do to make sure that when a person leaves they can no longer access company information?

4 Replies

What does "expire" mean in your case? If the account is still existing/active, depending on the type of application used you can continue to access data for days. We have the option to revoke tokens now, so you can integrate this as part of your "leavers" process. As well as block all protocols and additional actions such as changing the password, which have more immediate effect.

In Active Directory you can set an account to expire on a specified date and time.

Right. And what are you using for authentication? Last time I toyed with this, only federated accounts had their tokens revoked upon account expiration/disable. But as I mentioned, you can also manually revoke tokens now, either via the O365 admin portal or via Revoke-AzureADUserAllRefreshToken.

We use Okta.

Ok, we'll add those steps to our off boarding process.