Force sign-out users in Microsoft 365 with PowerShell

We want to sign out a user from Microsoft 365. Also, we like to disable the user account, reset their password, and disable their registered devices. What if we like to do it for a single user, multiple users, or all the users? In this article, you will learn how to force sign-out users in Microsoft 365 with PowerShell.

Table of contents

Set-Signout PowerShell script

It’s a script packed with multiple actions, enhancing security after user accounts are compromised or helping you to automate your tasks with PowerShell.

The Set-SignOut.ps1 PowerShell script works for Microsoft 365 and has the following options:

  • Reset password
    The “Reset Password” action allows you to change the password of a user account and enforce a password change on the next sign-in. This is useful when you need to reset a user’s password due to security concerns or if they have forgotten their password. By forcing a password change on the next sign-in, you ensure the user sets a new password to regain access to their account.
  • Disable devices
    The “Disable Devices” action targets registered devices associated with a user and disables them. When a device is disabled, it prevents the user from accessing resources from that particular device. This action is beneficial in situations where you want to restrict access from specific devices, such as lost or stolen devices.
  • Sign out
    The “Sign Out” action logs out the user from all active sessions. It revokes their access tokens and forces them to sign in again to access any resources. This action is useful in scenarios where you want to immediately terminate all user sessions, such as when an account has been compromised or when a user should no longer have access to resources.
  • Block sign-in
    The “Block Sign-In” action disables the ability of a user to sign in to their account. By blocking sign-in, you prevent the user from accessing any Azure AD-integrated services or resources. This action is typically used when you want to temporarily or permanently restrict a user’s access to their account and associated resources.

Note: The script can be run against a single user, multiple users, or all users in Microsoft 365. You can use the -Exclude parameter if you want users to be excluded.

Install Microsoft Graph Powershell

Before we can proceed further and force sign-out users and change their passwords, we need to Install Microsoft Graph PowerShell.

Start Windows PowerShell as administrator and run the below commands.

Install-Module Microsoft.Graph -Force
Install-Module Microsoft.Graph.Beta -AllowClobber -Force

Important: Always install the Microsoft Graph PowerShell and Microsoft Graph Beta PowerShell modules. That’s because some cmdlets are not yet available in the final version, and they will not work. Update both modules to the latest version before you run a cmdlet or script to prevent errors and incorrect results.

Prepare Set-SignOut PowerShell script

Create a folder on the (C:) drive with the name Scripts.

Download the Set-SignOut.ps1 PowerShell script and place it in C:\scripts folder.

Another option is to copy and paste the below code into Notepad. Give it the name Set-SignOut.ps1 and place it in the C:\scripts folder.

<#
    .SYNOPSIS
    Set-SignOut.ps1

    .DESCRIPTION
    Reset user(s) password, disable devices, sign-out all sessions, block sign-in.

    .LINK
    www.alitajran.com/force-sign-out-users-microsoft-365/

    .NOTES
    Written by: ALI TAJRAN
    Website:    www.alitajran.com
    LinkedIn:   linkedin.com/in/alitajran

    .CHANGELOG
    V1.00, 06/18/2023 - Initial version
    V1.10, 07/24/2023 - Update for Microsoft Graph PowerShell changes
#>

param (
    [switch]$All,
    [switch]$ResetPassword,
    [switch]$DisableDevices,
    [switch]$SignOut,
    [switch]$BlockSignIn,
    [string[]]$Exclude,
    [string[]]$UserPrincipalNames
)

# Check if no switches or parameters are provided
if (-not $All -and -not $ResetPassword -and -not $DisableDevices -and -not $SignOut -and -not $BlockSignIn -and -not $Exclude -and -not $UserPrincipalNames) {
    Write-Host "No switches or parameters provided. Please specify the desired action using switches such as -All, -ResetPassword, -DisableDevices, -SignOut, -BlockSignIn, or provide user principal names using -UserPrincipalNames." -ForegroundColor Yellow
    Exit
}

# Connect to Microsoft Graph API
Connect-MgGraph -Scopes Directory.AccessAsUser.All

# Retrieve all users if -All parameter is specified
if ($All) {
    $Users = Get-MgUser -All
}
else {
    # Filter users based on provided user principal names
    if ($UserPrincipalNames) {
        $Users = $UserPrincipalNames | Foreach-Object { Get-MgUser -Filter "UserPrincipalName eq '$($_)'" }
    }
    else {
        $Users = @()
        Write-Host "No -UserPrincipalNames or -All parameter provided." -ForegroundColor Yellow
    }
}

# Prompt for the new password if -ResetPassword parameter is specified and there are users to process
$NewPassword = ""
if ($ResetPassword -and $Users.Count -gt 0) {
    $NewPassword = Read-Host "Enter the new password"
}

# Check if any excluded users were not found
$ExcludedNotFound = $Exclude | Where-Object { $Users.UserPrincipalName -notcontains $_ }
foreach ($excludedUser in $ExcludedNotFound) {
    Write-Host "Can't find Azure AD account for user $excludedUser" -ForegroundColor Red
}

# Check if any provided users were not found
$UsersNotFound = $UserPrincipalNames | Where-Object { $Users.UserPrincipalName -notcontains $_ }
foreach ($userNotFound in $UsersNotFound) {
    Write-Host "Can't find Azure AD account for user $userNotFound" -ForegroundColor Red
}

foreach ($User in $Users) {
    # Check if the user should be excluded
    if ($Exclude -contains $User.UserPrincipalName) {
        Write-Host "Skipping user $($User.UserPrincipalName)" -ForegroundColor Cyan
        continue
    }
    
    # Flag to indicate if any actions were performed for the user
    $processed = $false  

    # Revoke access if -SignOut parameter is specified
    if ($SignOut) {
        Write-Host "Sign-out completed for account $($User.DisplayName)" -ForegroundColor Green

        # Revoke all signed in sessions and refresh tokens for the account
        $SignOutStatus = Revoke-MgUserSignInSession -UserId $User.Id

        $processed = $true
    }

    # Block sign-in if -BlockSignIn parameter is specified
    if ($BlockSignIn) {
        Write-Host "Block sign-in completed for account $($User.DisplayName)" -ForegroundColor Green

        # Block sign-in
        Update-MgUser -UserId $User.Id -AccountEnabled:$False

        $processed = $true
    }

    # Reset the password if -ResetPassword parameter is specified
    if ($ResetPassword -and $NewPassword) {
        $NewPasswordProfile = @{
            "Password"                      = $NewPassword
            "ForceChangePasswordNextSignIn" = $true
        }
        Update-MgUser -UserId $User.Id -PasswordProfile $NewPasswordProfile
        Write-Host "Password reset completed for $($User.DisplayName)" -ForegroundColor Green

        $processed = $true
    }

    # Disable registered devices if -DisableDevices parameter is specified
    if ($DisableDevices) {
        Write-Host "Disable registered devices completed for $($User.DisplayName)" -ForegroundColor Green
        
        # Retrieve registered devices
        $UserDevices = Get-MgUserRegisteredDevice -UserId $User.Id

        # Disable registered devices
        if ($UserDevices) {
            foreach ($Device in $UserDevices) {
                Update-MgDevice -DeviceId $Device.Id -AccountEnabled $false
            }
        }

        $processed = $true
    }

    if (-not $processed) {
        Write-Host "No actions selected for account $($User.DisplayName)" -ForegroundColor Yellow
    }
}

This is how it looks.

Force sign-out users in Microsoft 365 with PowerShell script

Run Set-SignOut PowerShell script

Go to the scripts folder and run the script.

.\Set-SignOut.ps1

If you don’t put any parameters, it will show that you must enter parameters.

No switches or parameters provided. Please specify the desired action using switches such as -All, -ResetPassword, -DisableDevices, -SignOut, -BlockSignIn, or provide user principal names using -UserPrincipalNames.

Once you add one of the switches, you have to Enter your Microsoft administrator credentials and Accept the permissions requested.

Force sign-out users in Microsoft 365 with PowerShell Graph

Let’s see which PowerShell actions you can perform.

Force sign-out single user

Sign out a single user.

.\Set-SignOut.ps1 -UserPrincipalNames "Amanda.Morgan@exoip.com" -SignOut

Block a single user from signing in.

.\Set-SignOut.ps1 -UserPrincipalNames "Amanda.Morgan@exoip.com" -BlockSignIn

If you want to block a single user from signing in and reset their password.

Note: A prompt will appear to fill in the new password.

.\Set-SignOut.ps1 -UserPrincipalNames "Amanda.Morgan@exoip.com" -BlockSignIn -ResetPassword

Block a single user from signing in, reset their password, and disable the registered devices.

.\Set-SignOut.ps1 -UserPrincipalNames "Amanda.Morgan@exoip.com" -BlockSignIn -ResetPassword -DisableDevices

Force sign-out for multi-users

.\Set-SignOut.ps1 -UserPrincipalNames "Amanda.Morgan@exoip.com","Jonathan.Fisher@exoip.com" -SignOut

Just append the parameters you like to the above command to set it.

.\Set-SignOut.ps1 -UserPrincipalNames "Amanda.Morgan@exoip.com","Jonathan.Fisher@exoip.com" -ResetPassword -DisableDevices

Force sign-out all users

.\Set-SignOut.ps1 -All -SignOut

Just append the parameters you like to the above command to set it.

.\Set-SignOut.ps1 -All -BlockSignIn -ResetPassword

The -Exclude parameter can be added to skip these user accounts.

.\Set-SignOut.ps1 -All -BlockSignIn -ResetPassword -Exclude "admin@exoip.com","John.Walt@exoip.com"

The script is powerful because you can only run it against a single user, multiple users, and all the users, including those you want to exclude.

Error 500 Repeating redirects detected in Outlook

If you use the -BlockSignIn parameter, it will block the user from signing in. After you unblock the sign-in for the user, Outlook on the web will show the below error after signing in.

Error 500 Something went wrong. Repeating redirects detected.

The solution to this error is to wait 30 minutes before it works again.

That’s it!

Note: Do you want to check all the user account sign-in status? Read the article Export Microsoft 365 disabled users report.

Read more: Block sign-in from shared mailboxes »

Conclusion

You learned how to force sign-out users in Microsoft 365 with PowerShell. The Set-SignOut PowerShell can do more than only sign out the user, and it’s an excellent script to use when you have to apply security changes to user accounts immediately.

Did you enjoy this article? You may also like Configure Office 365 SMTP relay. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

X TwitterLinkedIn

What Others Are Reading

This Post Has 4 Comments

  2. Is there a way of using this script for signout of all users on a specific computer e.g. if several users have logged into the company pool laptop can I specify all users logged into MS365 on this laptop only can be forced signed out? I don’t want to force signout all users from MS365 on any device which would cause a storm. Thanks

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *