You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This script can be used to remove access for a user when their account is compromised or if the employee is leaving the org.
Directly updating Azure Active Directory reduces the 15-30 min sync latency.
<#.SYNOPSIS This script automates the recommendations on the [Revoke user access in Azure Active Directory](https://learn.microsoft.com/azure/active-directory/enterprise-users/users-revoke-access) page. Summary of actions perfomed by this script. * On-premises Active Directory * Disable account * Force password change on next sign-in * Azure Active Directory * Disable account * Disable devices * Force password change on next sign-in * Revoke refresh tokens Note: This script requires Windows PowerShell 5.1 as it relies on the Active Directory PS module as well as Microsoft Online PowerShell module..EXAMPLE PS > Revoke-UserAccess -userId johnd@contoso.com -samAccountName @johnd Immediately revokes user's access to Active Directory and Azure Active Directory.#>
[CmdletBinding()]
param
(
[Parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[string]$userId,
[Parameter()]
[ValidateNotNullOrEmpty()]
[string]$samAccountName
)
# Connect-Graph Directory.AccessAsUser.All# Connect-MsolService# Generate random scrambled passwordAdd-Type-AssemblyName 'System.Web'$tempCred= [System.Web.Security.Membership]::GeneratePassword(120,30)
if($samAccountName) {
Write-Output"Azure Active Directory"# Disable the user in Active DirectoryWrite-Output" * Disabling account..."Disable-ADAccount-Identity $samAccountName# Reset the user's passwordWrite-Output" * Resetting password..."Set-ADAccountPassword-Identity $samAccountName-Reset -NewPassword (ConvertTo-SecureString-AsPlainText $tempCred-Force)
Set-ADUser-Identity $samAccountName-ChangePasswordAtLogon $true
}
Select-MgProfile-Name beta
Write-Output"Azure Active Directory"# Disable the user in Azure AD.Write-Output" * Disabling account..."Update-MgUser-UserId $userId-AccountEnabled:$false# Reset the user's passwordWrite-Output" * Resetting password..."$params=@{
PasswordProfile=@{
ForceChangePasswordNextSignIn=$truePassword=$tempCred
}
}
Update-MgUser-UserId $userId-BodyParameter $params# Disable the user's devices.Write-Output" * Disabling devices..."$devices=Get-MgUserRegisteredDevice-UserId $userIdforeach($devicein$devices) {
Update-MgDevice-DeviceId $device.Id-AccountEnabled $false
}
# Remove all MFA methods to allow user to set up againWrite-Output" * Removing authentication methods..."# Note: Use Set-MsolUser until this cmdlet is available in Graph PowerShellSet-MsolUser-UserPrincipalName belinda@fdoau.onmicrosoft.com-StrongAuthenticationMethods @()
Write-Output" * Revoking tokens..."# Revoke the user's Azure AD refresh tokensRevoke-MgUserSignInSession-UserId $userId
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
This script can be used to remove access for a user when their account is compromised or if the employee is leaving the org.
Directly updating Azure Active Directory reduces the 15-30 min sync latency.
Beta Was this translation helpful? Give feedback.
All reactions