Account Disabling and Session Revocation

Account Disabling and Session Revocation in Microsoft Entra ID (SC-300)

Why Is Account Disabling and Session Revocation Important?

In any enterprise environment, the ability to quickly disable accounts and revoke active sessions is a critical security control. When an employee leaves an organization, when credentials are compromised, or when suspicious activity is detected, administrators must be able to immediately cut off access. Without proper account disabling and session revocation procedures, a threat actor could continue to exploit valid credentials or active tokens even after a security incident has been identified. This makes it one of the most essential topics for identity and access management, and a frequently tested area on the SC-300 exam.

What Is Account Disabling?

Account disabling refers to the process of preventing a user account from authenticating to any services or resources. In Microsoft Entra ID (formerly Azure Active Directory), this is done by setting the account's sign-in status to blocked. A disabled account still exists in the directory, retaining its attributes, group memberships, and role assignments, but the user cannot sign in.

Key characteristics of account disabling:
- The account remains in the directory and can be re-enabled later.
- It is different from account deletion, which moves the account to the recycle bin (soft delete) and eventually permanently removes it after 30 days.
- Disabling is often the first step in an offboarding process or incident response workflow.
- Disabled accounts do not automatically invalidate existing access tokens or refresh tokens that were issued before the account was disabled.

What Is Session Revocation?

Session revocation is the process of invalidating all active sessions and tokens associated with a user account. Even after an account is disabled, previously issued tokens (such as OAuth 2.0 access tokens, refresh tokens, and session cookies) may still be valid until they expire. Access tokens in Microsoft Entra ID typically have a default lifetime of 60-90 minutes (with the default being approximately 1 hour). This means a user whose account was just disabled could potentially still access resources for up to an hour or more using cached tokens.

Session revocation addresses this gap by explicitly invalidating these tokens so that access is terminated immediately.

How Does It Work in Microsoft Entra ID?

There are several mechanisms and tools involved:

1. Blocking Sign-In
- Navigate to Microsoft Entra admin center → Users → Select the user → Edit properties → Settings → Block sign in.
- Set Block sign in to Yes.
- This prevents new authentications but does NOT revoke existing tokens immediately.

2. Revoking Sessions
- In the Microsoft Entra admin center, go to the user's profile and select Revoke sessions.
- This invalidates all refresh tokens issued to the user by setting the refreshTokensValidFromDateTime property to the current time.
- You can also use Microsoft Graph API: POST /users/{id}/revokeSignInSessions.
- After revocation, the user must re-authenticate, and since their account is blocked, they will be denied access.

3. Continuous Access Evaluation (CAE)
- CAE is a feature that enables near real-time token revocation for supported Microsoft 365 workloads (Exchange Online, SharePoint Online, Teams).
- With CAE, critical events like account disabling or password changes are communicated to resource providers in near real-time, causing access tokens to be revoked within minutes rather than waiting for the token to expire.
- CAE-aware applications listen for these events and enforce re-authentication immediately.
- This significantly reduces the window of vulnerability after an account is disabled.

4. Conditional Access and Token Lifetime Policies
- Conditional Access policies with sign-in frequency controls can require users to re-authenticate at defined intervals, reducing the impact of stale sessions.
- Token lifetime policies (configurable via Microsoft Graph) can be used to shorten the lifetime of access tokens, though Microsoft now recommends using Conditional Access sign-in frequency instead for most scenarios.

5. On-Premises Hybrid Considerations
- For hybrid environments using Azure AD Connect, disabling an account in on-premises Active Directory will sync to Microsoft Entra ID during the next sync cycle (default: every 30 minutes).
- To ensure immediate effect, you can trigger a delta sync manually or disable the account directly in Microsoft Entra ID as well.
- On-premises Kerberos tickets may still be valid until they expire (typically 10 hours), so additional steps like resetting the user's password on-premises may be necessary.

Best Practice: Complete Offboarding / Incident Response Workflow

For maximum security when responding to a compromised account or offboarding:
1. Block sign-in on the user account.
2. Revoke all sessions using the Revoke sessions button or Graph API.
3. Reset the user's password to invalidate any cached credentials.
4. Disable or remove MFA methods if the account is compromised.
5. Remove role assignments and group memberships if necessary.
6. Revoke any app consent grants the user may have provided.
7. Leverage Continuous Access Evaluation for near real-time enforcement on supported workloads.

Key Concepts to Remember for the SC-300 Exam

- Disabling an account does NOT automatically revoke existing tokens.
- Access tokens have a default lifetime of approximately 1 hour and cannot be revoked directly (unless CAE is in effect).
- Refresh tokens can be revoked using the Revoke sessions action.
- Continuous Access Evaluation (CAE) provides near real-time enforcement for supported services.
- The refreshTokensValidFromDateTime property is the underlying mechanism that invalidates refresh tokens upon revocation.
- In hybrid environments, sync latency must be considered when disabling accounts on-premises.

---

Exam Tips: Answering Questions on Account Disabling and Session Revocation

Tip 1: Understand the Token Lifecycle
Exam questions often test whether you understand that blocking sign-in alone is not enough. If a question asks how to immediately prevent access, look for answers that include both blocking sign-in AND revoking sessions. Simply disabling the account leaves a window of vulnerability.

Tip 2: Know the Difference Between Access Tokens and Refresh Tokens
Access tokens are short-lived and presented to resource servers. Refresh tokens are longer-lived and used to obtain new access tokens. Revoking sessions invalidates refresh tokens, forcing re-authentication when the current access token expires. CAE can invalidate access tokens in near real-time for supported services.

Tip 3: Recognize CAE Scenarios
If a question mentions Exchange Online, SharePoint Online, or Teams and asks about near real-time revocation, Continuous Access Evaluation is likely the correct answer. CAE is the mechanism that closes the token lifetime gap for these services.

Tip 4: Watch for Hybrid Identity Scenarios
If the question involves an on-premises Active Directory synced with Microsoft Entra ID, remember the sync delay. The correct answer might involve triggering a manual delta sync or disabling the account directly in the cloud in addition to on-premises.

Tip 5: Distinguish Between Disable and Delete
Exam questions may try to confuse you between disabling and deleting an account. Disabling preserves the account and is reversible. Deleting moves it to a soft-delete state (recoverable for 30 days). For incident response, disabling is usually preferred because it preserves evidence and allows recovery.

Tip 6: Graph API Commands
Be familiar with the Graph API endpoint revokeSignInSessions. Questions might present PowerShell or Graph API scenarios and ask which command achieves session revocation. The cmdlet in Microsoft Graph PowerShell is Revoke-MgUserSignInSession.

Tip 7: Look for the Most Complete Answer
Many SC-300 questions present multiple steps. The best answer for securing a compromised account will typically include: block sign-in + revoke sessions + reset password. If an answer only includes one of these steps, it is likely incomplete. Choose the answer that provides the most comprehensive security posture.

Tip 8: Conditional Access Sign-In Frequency
If a question asks about reducing the risk of stale sessions proactively (before an incident), the answer is likely Conditional Access sign-in frequency, which forces periodic re-authentication. This is different from reactive session revocation.

Tip 9: Emergency Access Accounts
Remember that emergency access (break-glass) accounts should be excluded from policies that might disable them. If a question involves account disabling policies, ensure the answer does not inadvertently lock out emergency access accounts.

Tip 10: Read the Question Carefully
Pay attention to keywords like immediately, prevent future sign-ins, terminate active sessions, and near real-time. These keywords point to different actions: blocking sign-in prevents future authentication, revoking sessions terminates refresh tokens, and CAE provides near real-time access token invalidation.