Step 1 - Prevent a former employee from logging in and block access to Microsoft 365 services

If you need to immediately prevent a user's sign-in access, you should reset their password. In this step, force a sign out of the user from Microsoft 365.

Note

You need to be a global administrator to initiate sign-out for other administrators. For non administrator users, you can use a User Administrator or a Helpdesk Administrator user to perform this action. Learn more about the Admin Roles

  1. In the admin center, go to the Users > Active users page.
  2. Select the box next to the user's name, and then select Reset password.
  3. Enter a new password, and then select Reset. (Don't send it to them.)
  4. Select the user's name to go to their properties pane, and on the Account tab, select Sign out of all sessions.

Within an hour - or after they leave the current Microsoft 365 page they are on - they're prompted to sign in again. An access token is good for an hour, so the timeline depends on how much time is left on that token, and whether they navigate out of their current webpage.

Important

If the user is in Outlook on the web, just clicking around in their mailbox, they may not be kicked out immediately. As soon as they select a different tile, such as OneDrive, or refresh their browser, the sign-out is initiated.

To use PowerShell to sign out a user immediately, see the Revoke-AzureADUserAllRefreshToken cmdlet.

For more information about how long it takes to get someone out of email, see What you need to know about terminating an employee's email session.

Block a former employee's access to Microsoft 365 services

Important

Blocking an account can take up to 24 hours to take effect. If you need to immediately prevent a user's sign-in access, follow the steps above and reset their password.

  1. In the admin center, go to the Users > Active users page.
  2. Select the name of the employee that you want to block, and under the user's name, select the symbol for Block this user.
  3. Select Block the user from signing in, and then select Save.

Block a former employee's access to email (Exchange Online)

If you have email as part of your Microsoft 365 subscription, sign in to the Exchange admin center and follow these steps to block your former employee from accessing their email.

  1. Go to the Exchange admin center > Recipients > Mailboxes.
  2. Select the user mailbox from the list and then, in the Details Pane (on the right-hand side), select Manage email apps settings under Email apps. Turn Off the slider for all the options; Mobile (Exchange ActiveSync), Outlook on the web, Outlook desktop (MAPI), Exchange web services, POP3, and IMAP.
  3. Select Save.

Exchange admin center in Exchange Online (article)\

Restore a user (article)