At a time when digital security is becoming increasingly important, managing user access is a crucial factor in protecting sensitive data and resources. Microsoft Entra provides companies with powerful tools to control and monitor access to critical information and systems. Especially in critical situations, such as compromised user accounts or employee departures, it is essential to quickly and securely revoke access to minimize potential security risks.

This blog post describes in detail how to revoke user access in a hybrid or cloud-only environment using Microsoft Entra. The guide ensures that the user account is disabled, the password is reset, tokens are revoked, and all user devices are disabled.

Prerequisites

Least Privileged Roles

This article follows the principle of least privilege for each task and suggests an appropriate role. However, depending on your specific configuration, another role may also be suitable. A helpful overview of the minimum required permissions for various tasks can be found in the following article on Microsoft Learn:
Least privileged roles by task – Microsoft Entra ID | Microsoft Learn

RolesTaskPermission
Password Administrator
Reset password
microsoft.directory/users/password/update
User Administrator
Disable user account
microsoft.directory/users/disable
Helpdesk Administrator
Revoke refresh tokens

microsoft.directory/users/invalidateAllRefreshTokens
Cloud Device Administrator
Disable devices

microsoft.directory/devices/disable

To disable user accounts and reset passwords in a hybrid environment, membership in the Account Operators security group in the on-premises Active Directory is appropriate.

Revoke User Access

If no local Active Directory is in use, you can proceed directly to the section Microsoft Entra environment.

Hybrid Environment

Start the Active Directory Users and Computers Snap-In on the Windows Server.

Disable User Account

Select User > Disable Account

The user account has now been successfully disabled.

Reset Password

The user password is reset twice to mitigate the risk of a Pass-the-Hash attack. What is a Pass-the-Hash attack?

Select User > Reset Password

Enter new password

The password has been successfully reset. Now, the password must be reset a second time.

Microsoft Entra Environment

The user account, associated refresh tokens, and devices can be disabled in the Microsoft Entra admin center.

Reset Password

This step is only necessary for cloud-only user accounts. For synchronized user accounts, the password is reset in Active Directory.

Sign in to Microsoft Entra admin center (https://entra.microsoft.com)
and navigate to Identity > Users > All users and select the user account.

Select Overview > Reset Password (1) > Reset Passwort (2)

A temporary password has been created. This password never expires.

Disable user account

Sign in to Microsoft Entra admin center (https://entra.microsoft.com)
and navigate to Identity > Users > All users and select the user account.

Select Properties > Settings.

Disable account

The account status is displayed as disabled in the overview.

Revoke Refresh Tokens

Sign in to Microsoft Entra admin center (https://entra.microsoft.com)
and navigate to Identity > Users > All users and select the user account.

Click on Revoke sessions

Confirm Revoke sessions

The refresh tokens have been successfully revoked. All active user sessions are terminated and re-authentication is forced. However, authentication will fail because the user account was previously disabled.

Disable Devices

Sign in to Microsoft Entra admin center (https://entra.microsoft.com)
and navigate to Identity > Users > All users and select the user account.

Click on Devices (1), select all Devices (2) and choose Disable (3).

Confirm disable devices

The user’s devices will be shown as Disabled.

Good to know

What is a Pass-the-Hash attack?

A Pass-the-Hash attack is a technique where an attacker uses the hash value of a password to authenticate to a system. Instead of knowing or guessing the actual password, the attacker extracts the hash value, which is normally used for securely storing passwords. This hash value is then used directly for sign-in. Since the hash value has the same authentication power as the original password, the attacker can access the system as if they had entered the password themselves. This method bypasses the need to know the actual password and poses a significant security threat.

An attacker can obtain the hash value in various ways, such as:

  • by reading memory contents: The attacker can directly extract the hash value from the memory of a compromised system.
  • by intercepting network traffic: If the hash value is transmitted over the network, the attacker can capture it.
  • by exploiting vulnerabilities: Security flaws in software or operating systems can allow the attacker to access the hash values.
  • by breaching databases: The attacker can break into a database where the hash values are stored and extract them.

Follow me on LinkedIn and BlueSky to always stay updated on my recent posts.

Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!

Buy me a coffee