Apr 06 2020 08:33 AM
Apr 06 2020 08:33 AM
Hey i am noticing a behaviour that i can reproduce right now that is very disturbing to my users/managers.
We are having to terminate people due to covid, but we want to offer the ability for them to come back one day, so the accounts are not being deleted, merely disabled.
I have noticed that if a user is still logged into teams, even though their AD account is disabled, and office365 says "blocked" they can still get in and attend team meetings! i can even send an email calendar invite to a meeting and the user can join that meeting. Tested 1 hour after they were disabled in AD and blocked in office 365.
obviously this is a huge problem!!! i have read other posts that an "active sync" connection may be left open for possibly days. Is this what is happening? it seems more specific to exchange though.
Is there a setting somewhere or a way to force disabled users to logout? i even changed the users password and they can still open teams and it just auto logs them in.
Apr 06 2020 09:13 AM
Disabling a user doesn't immediately terminate access, this has been discussed in numerous threads/blog posts which you can look up for additional details. TL;DR version is that users will have access until the tokens expire, and if you want to speed things up a bit you can revoke tokens via the O365 admin portal or the Revoke-AzureADUserAllRefreshToken cmdlet.
Apr 06 2020 09:21 AMSolution
looks like i was able to block the attempt after some time now with the following command:
Revoke-AzureADUserAllRefreshToken -ObjectId email@example.com
of course you have to connect to azure first with powershell.
Install-Module AzureAD -Force
Apr 06 2020 09:25 AM
@windows2000A quick workaround for this solution could be turning off their Teams License so they are not able to use Microsoft team in desktop/Mobile/could version since if they try to login they will get no license / active Team license.
I hope this will work and resolve your issue!
Apr 06 2020 09:29 AM
@Vasil MichevIf it was in "numerous threads" i would have found it this morning easily by searching. There was nothing specific to teams. Even this command I found is for azure AD. I would think office 365 would behave better. A blocked user is a blocked user and therefor should force a disconnect at that time. Stupid that i have to run manual commands.
Jun 19 2020 03:00 AM
The most secure way to manage this would be to change their passwords at the same time when blocking the accounts.