RM Unify - How to block and unblock users in Microsoft 365

Technical Rating:

Support

Print This Page

Add to 'My Library'

RM Unify - How to block and unblock users in Microsoft 365
Published Date : 27 May 2016 Last Updated : 03 Oct 2024 Content Ref: TEC5030148

Operating System	(none)
Part No	(none)
Summary	Provides steps to block/unblock users in Microsoft 365.

Symptoms

As a Microsoft® 365™ administrator, you may be required to block and/or unblock users' Microsoft 365 (M365) accounts.

Cause

Blocking an account prevents a user from initiating a new session to their Microsoft 365 account. However if they already have an active session, for example a mobile device configured to access their mail account or an Outlook application on their desktop PC, they will continue to be able to use that active session until it expires.

If you want to fully block a user from their account, you should complete the below two actions:

block the account to prevent new sessions from being initiated
end all active sessions

If you are blocking an account because it has been compromised, please also update the password associated with the account. See More Information below for details.

Requirements

You can block a user and end their active sessions through the 'Microsoft 365 admin center' or by using Window® PowerShell®.

For Powershell, you will need the "Azure AD Powershell for Graph" module installed. Please refer to https://technet.microsoft.com/en-us/library/mt628066.aspx which includes a link https://technet.microsoft.com/en-us/library/dn975125.aspx, on how to install the module and connect to Microsoft 365 PowerShell.

Procedure

To block a user and end their active sessions using the Microsoft 365 Admin Center*

Sign into Microsoft 365 as a global administrator.
In Users, Active Users, search and select the user you want to block.
Click 'Block sign-in', Save.
Click Save, Close.
Expand OneDrive Settings.
Click Next to the Sign-out section and click Initiate

A user's current session on all devices should expire within 30 minutes but typically within a few minutes.

To block a user and end their active sessions using Powershell*

Type Connect-AzureAD to connect to your tenancy as a global administrator.
Type Set-AzureADUser -ObjectID <account> -AccountEnabled $false and press Enter. For example, Set-AzureADUser -ObjectID joebloggs@schooldomain.com -AccountEnabled $false.
Type Get-AzureADuser -ObjectID <account> |Revoke-AzureADUserAllRefreshToken. For example, Get-AzureADuser -ObjectID joebloggs@schooldomain.com |Revoke-AzureADUserAllRefreshToken.

To unblock a user*:

Type Set-AzureADUser -ObjectID <account> -AccountEnabled $true and press Enter. For example, Set-AzureADUser -ObjectID joebloggs@schooldomain.com -AccountEnabled $true.

To block multiple users and end their active sessions using Powershell*

Create a text file of users to be blocked and save the file locally, e.g. C:\temp\accounts.txt. The text file should contain one account name per line for example:

joebloggs@schooldomain.com
msmith@schooldomain.com
Type the command: Get-Content "C:\temp\accounts.txt" | ForEach { Set-AzureADUSer -ObjectID $_ -AccountEnabled $false } and press Enter.
Type the command: Get-Content "C:\temp\accounts.txt" | ForEach {Get-AzureADuser -ObjectID $_ |Revoke-AzureADUserAllRefreshToken} and press Enter.

To unblock multiple users*:

Type the command: Get-Content "C:\temp\accounts.txt" | ForEach { Set-AzureADUSer -ObjectID $_ -AccountEnabled $true } and press Enter.

*Note: It may take several minutes for the settings change to take effect.

Checks

When the user's account has been blocked, they will be able to log on to RM Unify as normal. However, when they click the Outlook tile, they will be redirected to a page which says "Oops, something went wrong".

Email access

If a user is accessing their email on a mobile device or with Outlook on a desktop PC when their account is blocked and active sessions terminated, they will still be able to view existing messages in their inbox if it has been locally cached but no new messages will be sent or received. Failed outgoing messages will be saved to the Outbox. The end user may also see any of the following messages on their device:

"Password Incorrect"
"Connection to the server failed"
"Disconnected"
"Your account has been locked"

Possible Issues

If you block a user's sign-in and revoke their active sessions, and then unblock the account, it can take over 30 mins for the user to be able to sign-in and access all M365 services again. While access is returned, some services such as OneDrive may become available sooner than other services such as Mail.

More Information

Compromised accounts

If you are blocking an M365 account because it has been compromised, for example spam is being sent directly from the account or a third party has otherwise gained access to the account, then you should also change the password associated with the account. This will prevent the third party from re-gaining access once the account is unblocked. Where you change this password will depend on the configuration of your M365 domain. For example:

If your M365 domain is federated to RM Unify then update the password of the RM Unify user that is linked to the compromised account.
If your M365 domain is not linked to a third party then you may change the user's password from the 'Microsoft 365 admin center'.

If this article has not helped provide a solution then it is also possible to log a call...

Document Keywords: block, unblock, o365, powershell, user, block user, outlook, disable, lock, unlock, compromise, hack, suspicious, hacking, spam, office365, prevent access, prevent, stop access, session, m365, TEC5030148

Please read - important disclaimer information.
http://www.rm.com/_RMVirtual/Includes/csredirect.asp?cref=&title=Standard Content Disclaimer

Top of page

Registered office142B Park Drive, Milton Park, Milton, Abingdon, Oxon OX14 4SE
General Enquiries: +44 (0)1235 645316
General Support: +44 (0)1235 645317