How to Immediately Suspend a User Account Suspected of Compromise

Steps

Issue

A user account is suspected of being compromised and must be suspended immediately to prevent further access, including Azure Portal access and silent re‑entry.

Actions

Recommended Process to Immediately Block a User During Suspected Compromise

Given the hybrid identity configuration, synchronization interval, and Conditional Access setup, perform the following steps in order:

1. Disable the Account in On‑Premises Active Directory

• Disable the user account in on‑premises Active Directory.
• This environment is the source of authority for identity.

Important Notes:

• The disabled state will synchronize to Microsoft Entra ID on the next sync cycle.
• Writeback from cloud to on‑premises is not supported for account status (except password changes).

2. Apply a Conditional Access Policy: “Block Access (All Cloud Apps)”

This is the fastest and most reliable method to immediately block access.

Why this step is critical:

• Immediately prevents token redemption and refresh.
• Neutralizes existing access tokens that cannot otherwise be revoked.
• Blocks access even if the user already has the Azure Portal open.

Behavior Explanation:

• The Azure Portal may appear active briefly due to cached UI elements.
• However, all actions require valid access or refresh tokens.
• When the CA “Block access” policy is applied:
  • Entra ID denies refresh token requests.
  • Azure Portal background calls (ARM and other APIs) fail.
  • The portal session is effectively terminated.

Recommendation:

• Create the CA policy ahead of time.
• Leave it unassigned by default.
• During an incident, immediately assign the impacted user(s) for enforcement.

3. Revoke Microsoft Entra ID Sessions

• Navigate to Entra Admin Center
• Go to Users → Select User → Revoke Sessions

Result:

• Invalidates refresh tokens and session cookies.
• Forces reauthentication wherever possible.

4. Disable Entra‑Joined or Hybrid‑Joined Device Primary Refresh Token (PRT)

If the user has corporate-managed devices, disable associated device objects to block silent SSO via PRT.

PowerShell Command:

Get-MgUserRegisteredDevice -UserId <UPN> | ForEach-Object { Update-MgDevice -DeviceId $_.Id -AccountEnabled:$false }

Result:

• Prevents the device from silently refreshing tokens.
• Blocks continued access via device trust.

5. Reset User Password and Reset MFA

• Perform a password reset for the user account.
• Reset all MFA registration and authentication methods.

Important Clarification:

• Password reset invalidates password‑based tokens only.
• MFA reset removes potentially compromised authentication methods.
• Password reset alone does not revoke non‑password tokens, which is why earlier steps are required.

6. Rely on Continuous Access Evaluation (CAE) for M365 Workloads

• With the “Block access” CA policy active, CAE will rapidly invalidate sessions in:
  • Exchange Online
  • SharePoint Online
  • Microsoft Teams

Result:

• Active sessions are continuously evaluated and promptly terminated without waiting for token expiration.

Outcome

Following this process ensures:

• Immediate containment of a compromised account
• Elimination of access across portal, devices, and workloads
• Prevention of token‑based and device‑based silent re‑entry
• Alignment with Microsoft security best practices for hybrid identity incidents