How to bulk create Office 365 mailboxes for existing AD users in Exchange Hybrid configuration?…
Force sign-out users in Microsoft 365 with PowerShell
We want to sign out a user from Microsoft 365. Also, we like to disable the user account, reset their password, and disable their registered devices. What if we like to do it for a single user, multiple users, or all the users? In this article, you will learn how to force sign-out users in Microsoft 365 with PowerShell.
Table of contents
Set-Signout PowerShell script
It’s a script packed with multiple actions, enhancing security after user accounts are compromised or helping you to automate your tasks with PowerShell.
The Set-SignOut.ps1 PowerShell script works for Microsoft 365 and has the following options:
- Reset password
The “Reset Password” action allows you to change the password of a user account and enforce a password change on the next sign-in. This is useful when you need to reset a user’s password due to security concerns or if they have forgotten their password. By forcing a password change on the next sign-in, you ensure the user sets a new password to regain access to their account.
- Disable devices
The “Disable Devices” action targets registered devices associated with a user and disables them. When a device is disabled, it prevents the user from accessing resources from that particular device. This action is beneficial in situations where you want to restrict access from specific devices, such as lost or stolen devices.
- Sign out
The “Sign Out” action logs out the user from all active sessions. It revokes their access tokens and forces them to sign in again to access any resources. This action is useful in scenarios where you want to immediately terminate all user sessions, such as when an account has been compromised or when a user should no longer have access to resources.
- Block sign-in
The “Block Sign-In” action disables the ability of a user to sign in to their account. By blocking sign-in, you prevent the user from accessing any Azure AD-integrated services or resources. This action is typically used when you want to temporarily or permanently restrict a user’s access to their account and associated resources.
Note: The script can be run against a single user, multiple users, or all users in Microsoft 365. You can use the -Exclude parameter if you want users to be excluded.
Install Microsoft Graph Powershell
Before we can proceed further and force sign-out users and change their passwords, we need to Install Microsoft Graph PowerShell.
Start Windows PowerShell as administrator and run the below commands.
Install-Module Microsoft.Graph -Force
Install-Module Microsoft.Graph.Beta -AllowClobber -Force
Important: Always install the Microsoft Graph PowerShell and Microsoft Graph Beta PowerShell modules. That’s because some cmdlets are not yet available in the final version, and they will not work. Update both modules to the latest version before you run a cmdlet or script to prevent errors and incorrect results.
Prepare Set-SignOut PowerShell script
Create a folder on the (C:) drive with the name Scripts.
Download the Set-SignOut.ps1 PowerShell script and place it in C:\scripts folder.
Another option is to copy and paste the below code into Notepad. Give it the name Set-SignOut.ps1 and place it in the C:\scripts folder.
<#
.SYNOPSIS
Set-SignOut.ps1
.DESCRIPTION
Reset user(s) password, disable devices, sign-out all sessions, block sign-in.
.LINK
www.alitajran.com/force-sign-out-users-microsoft-365/
.NOTES
Written by: ALI TAJRAN
Website: www.alitajran.com
LinkedIn: linkedin.com/in/alitajran
.CHANGELOG
V1.00, 06/18/2023 - Initial version
V1.10, 07/24/2023 - Update for Microsoft Graph PowerShell changes
#>
param (
[switch]$All,
[switch]$ResetPassword,
[switch]$DisableDevices,
[switch]$SignOut,
[switch]$BlockSignIn,
[string[]]$Exclude,
[string[]]$UserPrincipalNames
)
# Check if no switches or parameters are provided
if (-not $All -and -not $ResetPassword -and -not $DisableDevices -and -not $SignOut -and -not $BlockSignIn -and -not $Exclude -and -not $UserPrincipalNames) {
Write-Host "No switches or parameters provided. Please specify the desired action using switches such as -All, -ResetPassword, -DisableDevices, -SignOut, -BlockSignIn, or provide user principal names using -UserPrincipalNames." -ForegroundColor Yellow
Exit
}
# Connect to Microsoft Graph API
Connect-MgGraph -Scopes Directory.AccessAsUser.All
# Retrieve all users if -All parameter is specified
if ($All) {
$Users = Get-MgUser -All
}
else {
# Filter users based on provided user principal names
if ($UserPrincipalNames) {
$Users = $UserPrincipalNames | Foreach-Object { Get-MgUser -Filter "UserPrincipalName eq '$($_)'" }
}
else {
$Users = @()
Write-Host "No -UserPrincipalNames or -All parameter provided." -ForegroundColor Yellow
}
}
# Prompt for the new password if -ResetPassword parameter is specified and there are users to process
$NewPassword = ""
if ($ResetPassword -and $Users.Count -gt 0) {
$NewPassword = Read-Host "Enter the new password"
}
# Check if any excluded users were not found
$ExcludedNotFound = $Exclude | Where-Object { $Users.UserPrincipalName -notcontains $_ }
foreach ($excludedUser in $ExcludedNotFound) {
Write-Host "Can't find Azure AD account for user $excludedUser" -ForegroundColor Red
}
# Check if any provided users were not found
$UsersNotFound = $UserPrincipalNames | Where-Object { $Users.UserPrincipalName -notcontains $_ }
foreach ($userNotFound in $UsersNotFound) {
Write-Host "Can't find Azure AD account for user $userNotFound" -ForegroundColor Red
}
foreach ($User in $Users) {
# Check if the user should be excluded
if ($Exclude -contains $User.UserPrincipalName) {
Write-Host "Skipping user $($User.UserPrincipalName)" -ForegroundColor Cyan
continue
}
# Flag to indicate if any actions were performed for the user
$processed = $false
# Revoke access if -SignOut parameter is specified
if ($SignOut) {
Write-Host "Sign-out completed for account $($User.DisplayName)" -ForegroundColor Green
# Revoke all signed in sessions and refresh tokens for the account
$SignOutStatus = Revoke-MgUserSignInSession -UserId $User.Id
$processed = $true
}
# Block sign-in if -BlockSignIn parameter is specified
if ($BlockSignIn) {
Write-Host "Block sign-in completed for account $($User.DisplayName)" -ForegroundColor Green
# Block sign-in
Update-MgUser -UserId $User.Id -AccountEnabled:$False
$processed = $true
}
# Reset the password if -ResetPassword parameter is specified
if ($ResetPassword -and $NewPassword) {
$NewPasswordProfile = @{
"Password" = $NewPassword
"ForceChangePasswordNextSignIn" = $true
}
Update-MgUser -UserId $User.Id -PasswordProfile $NewPasswordProfile
Write-Host "Password reset completed for $($User.DisplayName)" -ForegroundColor Green
$processed = $true
}
# Disable registered devices if -DisableDevices parameter is specified
if ($DisableDevices) {
Write-Host "Disable registered devices completed for $($User.DisplayName)" -ForegroundColor Green
# Retrieve registered devices
$UserDevices = Get-MgUserRegisteredDevice -UserId $User.Id
# Disable registered devices
if ($UserDevices) {
foreach ($Device in $UserDevices) {
Update-MgDevice -DeviceId $Device.Id -AccountEnabled $false
}
}
$processed = $true
}
if (-not $processed) {
Write-Host "No actions selected for account $($User.DisplayName)" -ForegroundColor Yellow
}
}
This is how it looks.
Run Set-SignOut PowerShell script
Go to the scripts folder and run the script.
.\Set-SignOut.ps1
If you don’t put any parameters, it will show that you must enter parameters.
No switches or parameters provided. Please specify the desired action using switches such as -All, -ResetPassword, -DisableDevices, -SignOut, -BlockSignIn, or provide user principal names using -UserPrincipalNames.
Once you add one of the switches, you have to Enter your Microsoft administrator credentials and Accept the permissions requested.
Let’s see which PowerShell actions you can perform.
Force sign-out single user
Sign out a single user.
.\Set-SignOut.ps1 -UserPrincipalNames "Amanda.Morgan@exoip.com" -SignOut
Block a single user from signing in.
.\Set-SignOut.ps1 -UserPrincipalNames "Amanda.Morgan@exoip.com" -BlockSignIn
If you want to block a single user from signing in and reset their password.
Note: A prompt will appear to fill in the new password.
.\Set-SignOut.ps1 -UserPrincipalNames "Amanda.Morgan@exoip.com" -BlockSignIn -ResetPassword
Block a single user from signing in, reset their password, and disable the registered devices.
.\Set-SignOut.ps1 -UserPrincipalNames "Amanda.Morgan@exoip.com" -BlockSignIn -ResetPassword -DisableDevices
Force sign-out for multi-users
.\Set-SignOut.ps1 -UserPrincipalNames "Amanda.Morgan@exoip.com","Jonathan.Fisher@exoip.com" -SignOut
Just append the parameters you like to the above command to set it.
.\Set-SignOut.ps1 -UserPrincipalNames "Amanda.Morgan@exoip.com","Jonathan.Fisher@exoip.com" -ResetPassword -DisableDevices
Force sign-out all users
.\Set-SignOut.ps1 -All -SignOut
Just append the parameters you like to the above command to set it.
.\Set-SignOut.ps1 -All -BlockSignIn -ResetPassword
The -Exclude parameter can be added to skip these user accounts.
.\Set-SignOut.ps1 -All -BlockSignIn -ResetPassword -Exclude "admin@exoip.com","John.Walt@exoip.com"
The script is powerful because you can only run it against a single user, multiple users, and all the users, including those you want to exclude.
Error 500 Repeating redirects detected in Outlook
If you use the -BlockSignIn parameter, it will block the user from signing in. After you unblock the sign-in for the user, Outlook on the web will show the below error after signing in.
Error 500 Something went wrong. Repeating redirects detected.
The solution to this error is to wait 30 minutes before it works again.
That’s it!
Note: Do you want to check all the user account sign-in status? Read the article Export Microsoft 365 disabled users report.
Read more: Block sign-in from shared mailboxes »
Conclusion
You learned how to force sign-out users in Microsoft 365 with PowerShell. The Set-SignOut PowerShell can do more than only sign out the user, and it’s an excellent script to use when you have to apply security changes to user accounts immediately.
Did you enjoy this article? You may also like Configure Office 365 SMTP relay. Don’t forget to follow us and share this article.
This is life saver
Is there a way of using this script for signout of all users on a specific computer e.g. if several users have logged into the company pool laptop can I specify all users logged into MS365 on this laptop only can be forced signed out? I don’t want to force signout all users from MS365 on any device which would cause a storm. Thanks
Thats nice
i love this