Hey folks, we're using Entra for identity management and Intune for mobile device management. Recently, we had a user who was terminated unexpectedly. After their termination call with HR, our Sys Admin disabled their account, but it took about half an hour to fully propagate. Unfortunately, during that time, the user was able to mess with some of our device configuration profiles, and now we have to rebuild them. This incident sparked a discussion on better ways to quickly cut off access for users we can't trust anymore. I've heard about a few methods like resetting passwords, isolating their machine, rotating the BitLocker key, and forcing a reboot. What other options do you think are effective? What works best for you in these situations?
4 Answers
HR really should loop in the sysadmin before dropping the bomb on an employee. Ideally, you should be notified in advance so you can disable their account right when they get the call. It’s all about planning, and I've learned the hard way how chaotic it can get otherwise.
I remember a time at a job when a sudden termination led to a nasty email from the employee before I even got the memo. Never let that happen to me again!
The quickest step is to disable their login immediately. To be even safer, change their password before disabling the account. This way, they can't log in at all, and you mitigate any risk just in case they still have access during that brief downtime.
Totally agree! If you need to keep the user in the system for whatever reason, just make sure to adjust their profile to a more restrictive access level.
Exactly! And don’t forget to revoke all active sessions right away too.
You might want to check out this Microsoft guidance on revoking user access. It covers a lot that can help streamline this process: [Microsoft Guidance](https://learn.microsoft.com/en-us/entra/identity/users/users-revoke-access).
Thanks for sharing that link!
Consider using Privileged Identity Management (PIM), and set up a continuous access evaluation conditional access policy. If HR needs to work closely with someone, they might prefer to alert IT for extra monitoring. No reason it should take 30 minutes to lock someone out in today’s tech world.
In our remote work setup, the timing can get tricky, but that’s when communication is key!