At a time when digital security is becoming increasingly important, managing user access is a crucial factor in protecting sensitive data and resources. Microsoft Entra provides companies with powerful tools to control and monitor access to critical information and systems. Especially in critical situations, such as compromised user accounts or employee departures, it is essential to quickly and securely revoke access to minimize potential security risks.
This blog post describes in detail how to revoke user access in a hybrid or cloud-only environment using Microsoft Entra. The guide ensures that the user account is disabled, the password is reset, tokens are revoked, and all user devices are disabled.
Prerequisites
Least Privileged Roles
This article follows the principle of least privilege for each task and suggests an appropriate role. However, depending on your specific configuration, another role may also be suitable. A helpful overview of the minimum required permissions for various tasks can be found in the following article on Microsoft Learn:
Least privileged roles by task – Microsoft Entra ID | Microsoft Learn
Roles | Task | Permission |
Password Administrator | Reset password | microsoft.directory/users/password/update |
User Administrator | Disable user account | microsoft.directory/users/disable |
Helpdesk Administrator | Revoke refresh tokens | microsoft.directory/users/invalidateAllRefreshTokens |
Cloud Device Administrator | Disable devices | microsoft.directory/devices/disable |
To disable user accounts and reset passwords in a hybrid environment, membership in the Account Operators security group in the on-premises Active Directory is appropriate.
Revoke User Access
If no local Active Directory is in use, you can proceed directly to the section Microsoft Entra environment.
Hybrid Environment
Start the Active Directory Users and Computers Snap-In on the Windows Server.
Disable User Account
Select User > Disable Account
The user account has now been successfully disabled.
Reset Password
The user password is reset twice to mitigate the risk of a Pass-the-Hash attack. What is a Pass-the-Hash attack?
Select User > Reset Password
Enter new password
The password has been successfully reset. Now, the password must be reset a second time.
Microsoft Entra Environment
The user account, associated refresh tokens, and devices can be disabled in the Microsoft Entra admin center.
Reset Password
This step is only necessary for cloud-only user accounts. For synchronized user accounts, the password is reset in Active Directory.
Sign in to Microsoft Entra admin center (https://entra.microsoft.com)
and navigate to Identity > Users > All users and select the user account.
Select Overview > Reset Password (1) > Reset Passwort (2)
A temporary password has been created. This password never expires.
Disable user account
Sign in to Microsoft Entra admin center (https://entra.microsoft.com)
and navigate to Identity > Users > All users and select the user account.
Select Properties > Settings.
Disable account
The account status is displayed as disabled in the overview.
Revoke Refresh Tokens
Sign in to Microsoft Entra admin center (https://entra.microsoft.com)
and navigate to Identity > Users > All users and select the user account.
Click on Revoke sessions
Confirm Revoke sessions
The refresh tokens have been successfully revoked. All active user sessions are terminated and re-authentication is forced. However, authentication will fail because the user account was previously disabled.
Disable Devices
Sign in to Microsoft Entra admin center (https://entra.microsoft.com)
and navigate to Identity > Users > All users and select the user account.
Click on Devices (1), select all Devices (2) and choose Disable (3).
Confirm disable devices
The user’s devices will be shown as Disabled.
Good to know
What is a Pass-the-Hash attack?
A Pass-the-Hash attack is a technique where an attacker uses the hash value of a password to authenticate to a system. Instead of knowing or guessing the actual password, the attacker extracts the hash value, which is normally used for securely storing passwords. This hash value is then used directly for sign-in. Since the hash value has the same authentication power as the original password, the attacker can access the system as if they had entered the password themselves. This method bypasses the need to know the actual password and poses a significant security threat.
An attacker can obtain the hash value in various ways, such as:
- by reading memory contents: The attacker can directly extract the hash value from the memory of a compromised system.
- by intercepting network traffic: If the hash value is transmitted over the network, the attacker can capture it.
- by exploiting vulnerabilities: Security flaws in software or operating systems can allow the attacker to access the hash values.
- by breaching databases: The attacker can break into a database where the hash values are stored and extract them.
Follow me on LinkedIn and BlueSky to always stay updated on my recent posts.
Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!