-
Notifications
You must be signed in to change notification settings - Fork 0
Invoke UserSignOutAndBlock
Immediately blocks sign-in, revokes all active sessions and refresh tokens, and optionally disables Entra ID-registered devices for one or more Microsoft 365 / Entra ID accounts. Designed for offboarding, incident response, and account compromise scenarios where rapid access revocation is required.
-
Block sign-in β Sets
AccountEnabled = $falseso no new authentication attempts succeed - Revoke sessions β Calls Microsoft Graph to invalidate all refresh tokens and active sessions immediately
- Device reporting β Lists all Entra ID-registered and Entra ID-joined devices owned by each account
-
Device disablement β Optionally sets
AccountEnabled = $falseon each owned device in Entra ID (-DisableDevices) - Multiple input methods β CSV file, in-memory array, or single UPN/Object ID
- WhatIf support β Preview all actions without making changes
- Timestamped CSV results β Full per-account report of every action taken
- PowerShell 5.1 or PowerShell 7+
Install-Module Microsoft.Graph.Authentication -Scope CurrentUser
Install-Module Microsoft.Graph.Users -Scope CurrentUser
Install-Module Microsoft.Graph.Identity.DirectoryManagement -Scope CurrentUser| Permission | Purpose |
|---|---|
User.ReadWrite.All |
Block sign-in, read user details |
Directory.ReadWrite.All |
Revoke sign-in sessions |
Device.ReadWrite.All |
Disable Entra ID-registered devices |
| Parameter | Type | Description |
|---|---|---|
-CsvPath |
String | Path to CSV file. Required column: Identity. Optional column: Reason. |
-UserArray |
Object[] | Array of PSCustomObjects/hashtables with at minimum an Identity property. |
-Identity |
String | Single UPN or Entra Object ID for a one-off operation. |
| Parameter | Description |
|---|---|
-DisableDevices |
Also disable all Entra ID-registered/joined devices owned by each account. Without this switch, devices are reported but not modified. |
-SkipBlockSignIn |
Skip setting AccountEnabled = $false. Useful when you only want to revoke sessions. |
-SkipRevokeSession |
Skip session revocation. Useful when you only want to block sign-in or disable devices. |
-WhatIf |
Show what changes would be made without applying them. |
| Parameter | Default | Description |
|---|---|---|
-OutputDirectory |
C:\Reports\CSV_Exports |
Directory where the results CSV is saved. |
-GenerateTemplate |
β | Creates a blank CSV template and exits. |
Identity,Reason
jdoe@contoso.com,Offboarding - last day 2026-03-13
jsmith@contoso.com,Account compromise - INC0012345| Column | Required | Description |
|---|---|---|
Identity |
Yes | UPN or Entra Object ID |
Reason |
No | Logged to the results report for audit purposes |
| Column | Description |
|---|---|
Identity |
Input identity value |
DisplayName |
Resolved display name from Entra ID |
Reason |
Reason provided in input |
SignInBlocked |
Success / Failed / Skipped / WhatIf |
SessionsRevoked |
Success / Failed / Skipped / WhatIf |
DevicesFound |
Count of Entra ID-registered devices |
DevicesDisabled |
Count of devices disabled (requires -DisableDevices) |
DeviceNames |
Pipe-delimited list of device names and OS |
Status |
Success / CompletedWithErrors / Failed |
ErrorDetails |
Error messages if any step failed |
Timestamp |
Time the account was processed |
.\Invoke-UserSignOutAndBlock.ps1 -Identity "jdoe@contoso.com".\Invoke-UserSignOutAndBlock.ps1 -Identity "jdoe@contoso.com" -DisableDevices.\Invoke-UserSignOutAndBlock.ps1 -CsvPath "C:\Data\offboard.csv" -DisableDevices$accounts = @(
[PSCustomObject]@{ Identity = "jdoe@contoso.com"; Reason = "Offboarding" }
[PSCustomObject]@{ Identity = "jsmith@contoso.com"; Reason = "Account compromise" }
)
.\Invoke-UserSignOutAndBlock.ps1 -UserArray $accounts -DisableDevices.\Invoke-UserSignOutAndBlock.ps1 -CsvPath "C:\Data\offboard.csv" -WhatIf.\Invoke-UserSignOutAndBlock.ps1 -GenerateTemplate -OutputDirectory "C:\Data".\Invoke-UserSignOutAndBlock.ps1 -Identity "jdoe@contoso.com" -SkipBlockSignIn.\Invoke-UserSignOutAndBlock.ps1 -Identity "jdoe@contoso.com" -SkipRevokeSessionRevoking sessions invalidates all refresh tokens immediately β the user cannot silently renew access. However, existing short-lived access tokens (typically 1-hour lifetime) remain valid until they naturally expire. Blocking sign-in (AccountEnabled = $false) prevents any renewal of those tokens, so combining both actions is the most effective approach.
Disabling a device in Entra ID prevents it from authenticating to cloud services. However:
- The user's local Windows session on the device is not immediately terminated
- The device is not wiped or retired from Intune β use the Intune portal or a dedicated script for remote wipe
Only devices where the user is the registered owner in Entra ID are affected. Shared/unowned devices used by the account are not modified.
Output file: C:\Reports\CSV_Exports\UserSignOutAndBlock_Results_YYYYMMDD_HHmmss.csv
This was a known issue with PowerShell 5.1 when Get-MgUserOwnedDevice returns a single object. Fixed in v1.0 by wrapping the result in @().
Install-Module Microsoft.Graph.Authentication, Microsoft.Graph.Users, Microsoft.Graph.Identity.DirectoryManagement -Scope CurrentUserEnsure the connecting account (or app registration) has User.ReadWrite.All, Directory.ReadWrite.All, and Device.ReadWrite.All granted in Entra ID.
The script will log a Failed status for accounts that cannot be resolved and continue processing remaining accounts.
- v1.0 (2026-03-13): Initial release β block sign-in, revoke sessions, report/disable devices; CSV/array/single input; WhatIf support
- Microsoft Docs: Revoke Sign-In Sessions
- Microsoft Docs: Update User (AccountEnabled)
- Microsoft Docs: Update Device
- Set-EmailToSharedAccount β Convert offboarded mailboxes to shared and remove licenses
- Set-SMTPForward β Configure SMTP forwarding during offboarding or migration
- Overview
- Start-LyncCsvExporter
- Get-ComprehensiveLyncReport
- Get-LyncHealthReport
- Get-LyncInfrastructureReport
- Get-LyncServiceStatus
- Get-LyncUserRegistrationReport
- Export-ADLyncTeamsMigrationData
- New-Office365Accounts
- Sync-ContactsFromCsv
- Set-EmailToSharedAccount
- Set-SMTPForward
- Invoke-UserSignOutAndBlock
- Security Assessment Scripts (coming soon)
- Azure Automation (documentation pending)
- Get-GraphToken
- Get-GraphHeaders
- Get-AzureResourcePaging
- Get-EnterpriseAppUsage
- Get-ExchangeErrorsGraph
- Get-PBIWorkspaceUsageReport
- Intune Management (documentation pending)