Hey everyone! We recently had a situation where we had to terminate a user immediately after a meeting with HR. Our sys admin disabled their account right after, but it took about 30 minutes for that change to propagate through the system. During that time, the user managed to mess with some of our device configuration profiles, which we now have to rebuild. This incident got us thinking about the quickest ways to cut off access for users we can't trust. I've read about options like resetting passwords, isolating the device, and rotating the BitLocker key to force a reboot. I'm curious to know, what have you found to be the most effective methods to quickly cut access in these situations?
4 Answers
Check out the Microsoft documentation on revoking access. It mentions scenarios where you’d need to revoke access immediately, like with a compromised account or when someone is terminated. Remember, depending on your setup, there's sometimes a delay between revoking access and actually locking the user out, so it's good to be aware of that.
Just curious, what do you mean by it taking an hour to propagate? Did you notice any delays with the account being disabled?
If you have MFA enforced, that's a great start! What I do is reset the user’s password, delete all their authentication methods in Entra, revoke their MFA sessions, and then remove all sign-in sessions for that user. This effectively locks them out since they'd need to register for MFA again but won't have the password to do so. A solid safety measure!
Sounds good! Are the password resets and sign-in revocations pretty instant, or do they also take time to apply?
Thanks for the resource! I'll definitely give it a look.