Share via

Employee is continuing to access my account

cierra rihn 0 Reputation points
2026-04-09T19:13:28.63+00:00

After a call with an employee who was helping me with an issue, they have been still on my server today after getting angry with me on the phone.

Azure Advisor
Azure Advisor

An Azure personalized recommendation engine that helps users follow best practices to optimize Azure deployments.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andreas Baumgarten 131.7K Reputation points MVP Volunteer Moderator
    2026-04-09T19:52:04.6+00:00

    Hi @cierra rihn ,

    the best option might be to disconnect and disable the user account in Entra Id.

    User's image

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards

    Andreas Baumgarten

    Was this answer helpful?

    0 comments
  2. Q&A Assist
    2026-04-09T19:13:46.22+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Immediately stop all access from that employee and then review what they did.

    1. Disconnect and block access
      • Change all passwords that the employee might know (local admin, Azure AD accounts, RDP credentials, VPN, etc.).
      • If Microsoft Entra multifactor authentication (MFA) is enabled, verify and update security info so only trusted methods are configured. Use the Security info page referenced in the documentation to remove any methods that do not belong to you.
      • If the employee is using a work or school account in your tenant, disable or delete that account in Microsoft Entra ID so they can no longer sign in.
    2. Check sign-in and access activity
      • Sign in to the My Account portal with the affected work or school account and open My sign-ins to review recent sign-in activity.
      • Expand each sign-in and verify location, app, browser, and OS. If any sign-in is unfamiliar, immediately change the password and then go to Security info to update verification methods.
      • Pay particular attention to successful sign-ins from unfamiliar locations or devices; treat them as possible compromise and rotate credentials.
    3. Strengthen authentication
      • Ensure MFA is enforced for all admin and privileged accounts.
      • Register and verify multiple secure MFA methods (e.g., Microsoft Authenticator, hardware key, phone) so that only trusted devices can be used.
      • If there are repeated failed sign-in attempts, wait out any lockouts and then change passwords and MFA methods as needed.
    4. Involve internal security/HR and Microsoft support if needed
      • Report the behavior to internal security/HR or management so they can handle the employee misconduct and any legal or policy implications.
      • If you suspect broader compromise or cannot regain control, contact your organization’s Help desk or Microsoft global support phone numbers for Entra ID admins to escalate and have sign-in logs and MFA configuration reviewed.
    5. Ongoing monitoring
      • Continue to monitor My sign-ins for both successful and unsuccessful sign-ins. For any suspicious activity, change passwords again and update security info.
      • Consider going passwordless (for example, Windows Hello, Authenticator, or security keys) for stronger protection against credential reuse.

    References:

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.