SOLVED

Disabled teams account can still log in

Brass Contributor

Hey i am noticing a behaviour that i can reproduce right now that is very disturbing to my users/managers.

 

We are having to terminate people due to covid, but we want to offer the ability for them to come back one day, so the accounts are not being deleted, merely disabled.

 

I have noticed that if a user is still logged into teams, even though their AD account is disabled, and office365 says "blocked" they can still get in and attend team meetings! i can even send an email calendar invite to a meeting and the user can join that meeting. Tested 1 hour after they were disabled in AD and blocked in office 365.

 

obviously this is a huge problem!!! i have read other posts that an "active sync" connection may be left open for possibly days. Is this what is happening? it seems more specific to exchange though.

ref: https://old.reddit.com/r/sysadmin/comments/8jlqmn/terminated_employee_sent_email_an_hour_after/

 

Is there a setting somewhere or a way to force disabled users to logout? i even changed the users password and they can still open teams and it just auto logs them in.

 

 

7 Replies

Disabling a user doesn't immediately terminate access, this has been discussed in numerous threads/blog posts which you can look up for additional details. TL;DR version is that users will have access until the tokens expire, and if you want to speed things up a bit you can revoke tokens via the O365 admin portal or the Revoke-AzureADUserAllRefreshToken cmdlet.

best response confirmed by windows2000 (Brass Contributor)
Solution

looks like i was able to block the attempt after some time now with the following command:

 

Revoke-AzureADUserAllRefreshToken -ObjectId user@domain.ca

 

ref: https://www.petri.com/blocking-access-office-365-user

 

of course you have to connect to azure first with powershell.

 

Install-Module AzureAD -Force
Import-Module AzureAD
Connect-AzureAD

 

@windows2000A quick workaround for this solution could be turning off their Teams License so they are not able to use Microsoft team in desktop/Mobile/could version since if they try to login they will get no license / active Team license.

 

I hope this will work and resolve your issue!

@Vasil MichevIf it was in "numerous threads" i would have found it this morning easily by searching. There was nothing specific to teams. Even this command I found is for azure AD. I would think office 365 would behave better. A blocked user is a blocked user and therefor should force a disconnect at that time. Stupid that i have to run manual commands.

I tried that about three weeks ago and it worked, I tried it again yesterday and it didn't work. I think you need to revoke licences

The most secure way to manage this would be to change their passwords at the same time when blocking the accounts.

@SuleimanDC Revoke the sessions from Azure AD account page, this will kill all the O365 active sessions by revoking the tokens

1 best response

Accepted Solutions
best response confirmed by windows2000 (Brass Contributor)
Solution

looks like i was able to block the attempt after some time now with the following command:

 

Revoke-AzureADUserAllRefreshToken -ObjectId user@domain.ca

 

ref: https://www.petri.com/blocking-access-office-365-user

 

of course you have to connect to azure first with powershell.

 

Install-Module AzureAD -Force
Import-Module AzureAD
Connect-AzureAD

 

View solution in original post