This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 42%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA4%3C/text%3E%3C/svg%3E)
I want to destroy all existing logged in sessions if user Resets Password from one logged in device. How can I achieve this?
What you can do is revoke all refresh tokens, which in turn will invalidate any active session once the access token expires (up to 1 hour delay). To do this via the UI, open the Azure AD blade > Users > select the user > hit the Revoke sessions button on top. To do it via PowerShell, use the Revoke-AzureADUserAllRefreshToken cmdlet (Azure AD module) or Revoke-MgUserSignInSession (Graph SDK for PowerShell).
Thanks for the answer.
But actually I don't want to do it manually. I want to know let's say if I have activated SSPR and any user goes and Resets Password so how can I make any active session invalid. So point here is it should be done automatically on Password Reset.
You cannot. Only specific "signals" will result in refresh token being resolved, and SSPR is not one of them. You cannot customize the list.
That said, most O365 services now support Continuous access evaluation, as detailed here: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation#critical-event-evaluation
It will trigger also on password reset, but the application (and service) itself needs to support CAE. Refer to the article above for list of supported scenarios and prerequisites.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 18%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
This cmdlet does not seem to work anymore. It worked last week, but this seems to have stopped working. It's is showing like the module isn't even installed anymore. Any thoughts?
I believe if a admin resets the password or if the user is listed as a high risk user requiring a password reset the current sessions are reset. I tried to quickly find this again... so I'm still not 100% but that's as I remember it. @josh Revoke-MgUserSignInSession should still work
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 65%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Which Azure role needs to be active to be able to execute this?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 17%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERF%3C/text%3E%3C/svg%3E)
Things have now changed with Entra ID...
Now you select Entra ID in the portal top menu => Users in the lefthand list and search for your user.
Click on the user entry in the search results and then revoke session in the top menu.