Before looking at handling the terminated employee login and restricting access to company data from Office 365, we need to understand the details about the authentication and Refresh Token and Access Token.
Authentication: when a user access any service that is integrated with Azure AD like Office 365 (EXO) -> EXO will redirect the user Azure AD, Azure AD do the realm discovery -> If the domain is federated, then user will be redirected to federated service like ADFS -> ADFS authenticated the user with Active Directory and return a token -> User will present the token to Azure AD -> Azure AD validates the claims and authentication is successful -> Azure AD provides a Refresh token and a Access Token to user -> Users send the access token to EXO and he will have access to EXO service.
Access Token: Azure AD when identifies the authentication is successful, it provides access token and refresh token pair to user. User will send the access token to respective service like EXO to get access to the services. By default, it will have a time to live value of 1 hour and it cannot be revoked / expired by admin.
Refresh Token: when the access token about to expire after an hour, behind the scene… Refresh token will be send to Azure AD to get a new access token and a new access token \ refresh token pair will be provided to users. User present the new access token to EXO to retain the access. Refresh token are valid for 90 days and can be revoked by admins.
Note: Once the authentication is successful, user will be re prompted to authenticate after a max of 90 days. Refresh and Access token combination can be re used in the back end to access the Office 365 services without re-authentication for 90 days. Password Expiry \ Account Lock out will be identified during the access token refresh\renew interval and user will be prompted to authenticate.
Okay, let’s jump into find options to control terminated employee Sign-In access to Office 365 services
- Disabling and Resetting User Password – Disabling the account in On-Premise AD / Resetting the password is the first step you will do to stop the user from using Corporate Credential to access the Office 365 Services. These change has to replicate to Azure AD, so that Azure AD restricts the user from sign in using his existing credential or stop him from accessing the company resource because of disabled account. So ensure you keep the Azure AD Connect Sync Cycle to run every 30 minutes once.
- Revoke the Tokens using PowerShell – Revoke-AzureADUserAllRefreshToken –ObjectID “ID”
This command would revoke all the tokens including the Password based Cookie which we use on OWA.
Optionally / Additionally… we can do the below changes.
- Disabling Exchange Protocols: Exchange Online will automatically prompt the user to re-authenticate when password changes when accessing Exchange using MAPI, OWA, EWS, POP/IMAP. In addition to that, disable those protocol immediately once the user is terminated.
- Block the Sign-In in Azure AD: User account can be blocked from Sign in Azure using below command
- Remote wipe the user mobile device:
Important thing to note: Note: The user will still have access to the Outlook cached mode data on the desktop and if it is on a personal desktop, there is no way to prevent the users from exporting the data to PST.
So, what is the option available for this scenario? Ensure you are allowing access to company data only from company managed (Azure AD Domain Joined) machines. On other side, enable litigation hold to retain the data for ever.