Reset MFA Access

Question

“We have terminated an employee who was a Microsoft 365 admin and we need to immediately secure the tenant and reset MFA access.”

Answer 1

Dear Brooklyn Leep,

Thank you for posting your question on the Microsoft Q&A forum.

To help secure your tenant after terminating an employee who had admin privileges, you may consider performing the following actions:

1/ Resetting MFA 

• Go to Microsoft Entra Admin Center: https://entra.microsoft.com
• Navigate to Users > All Users.
• Select the affected account.
• Go to Authentication Methods.
• Click "Revoke multifactor authentication sessions" and then remove all registered MFA methods

2/ Reset password

• Go to Microsoft Admin Center: https://admin.microsoft.com
• Navigate to Users > All Users.
• Select the affected account > Reset password

You may also select Sign out of all sessions to immediately revoke any active sign-ins.

3/ Remove Admin roles

• In Microsoft admin center, select affected user 
• Go to Roles
• Remove all admin roles

I hope the information above is helpful. If you have any further questions, please feel free to reach out.

---

If this answer resolves your issue, please click “Accept Answer” and consider upvoting it. If you have additional questions regarding this response, kindly click “Comment.”

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread

Answer 2

Follow these steps to immediately secure the tenant and reset MFA access after terminating an admin:

1. Reset the terminated admin’s password and sign out of all sessions
   In the Microsoft 365 admin center:
   • Go to Users > Active users.
   • Select the terminated admin’s account and choose Reset password. Configure a strong random password and require password change on next sign-in if the account will be reassigned later.
   • After resetting the password, select the user again, go to the Account tab, and select Sign out of all sessions. This invalidates existing sessions within about an hour, or sooner if they navigate away or refresh.
   • For immediate sign-out via PowerShell, use Revoke-MgUserSignInSession -UserId <UPN> as documented in the compromised account guidance.
2. Revoke all active sessions using Microsoft Graph PowerShell (strongly recommended for a compromised/terminated admin)
   On a secure workstation with appropriate admin rights:
   • Run PowerShell as administrator and set execution policy:

          Set-ExecutionPolicy RemoteSigned
     

   • Install Graph modules if needed:

          Install-Module Microsoft.Graph.Authentication
          Install-Module Microsoft.Graph.Users.Actions
     

   • Connect with the required scope:

          Connect-MgGraph -Scopes User.RevokeSessions.All
     

   • Revoke sessions for the terminated admin:

          Revoke-MgUserSignInSession -UserId <UPN>
     

   This immediately invalidates access tokens associated with that account.
3. Reset or remove MFA methods and app passwords for the terminated admin
   • Ensure the account’s MFA methods are cleared or re-registered by another admin so the former employee cannot approve sign-ins.
   • If app passwords were used (for legacy clients), ensure they are deleted and not reused. App passwords are not automatically revoked by a simple password reset; they must be explicitly removed and recreated if the account is reassigned.
4. If the account is synced or federated, secure it on-premises
   • If the admin account is synchronized from Active Directory, reset the password in AD, and reset it twice to mitigate pass-the-hash risk, using tools such as Set-ADAccountPassword.
   • If the identity is federated, change the password in the on-premises identity system and notify the appropriate identity/security admin.
5. Enable and enforce MFA for remaining admins and critical accounts
   • Ensure all remaining Global Administrators and other privileged roles have MFA enforced.
   • Use strong, phishing-resistant MFA where possible, especially for admin accounts.
   • If security defaults or Conditional Access are in place, verify that admin accounts comply and can still access required services.
6. Review and tighten admin role assignments
   • Confirm that the terminated admin’s account is removed from all privileged roles (Global Administrator, Privileged Role Administrator, etc.).
   • Follow least-privilege guidance: keep the number of Global Administrators minimal and use more limited roles (for example, Password Administrator or Helpdesk Administrator) where possible.
   • Ensure at least one other privileged account (for example, Privileged Authentication Administrator) exists to reset admin passwords and MFA if needed.
7. Implement or verify self-service password reset (SSPR) and MFA registration policies
   • Enable SSPR and combined security information registration so users and admins can securely manage their own passwords and MFA methods, reducing future lockout risk.
   • Ensure admins are registered with multiple MFA methods (Authenticator app plus at least one backup method) to avoid single-device dependency.
8. If tenant access is at risk (for example, only terminated admin had Global Admin)
   • If no remaining Global Admin can sign in, follow Microsoft’s tenant access recovery process via Microsoft 365 support. Identity verification will be required; Microsoft for Nonprofits or partners cannot bypass this process.

These steps collectively reset the terminated admin’s password, revoke all active sessions, remove or reset MFA methods, and harden the remaining admin surface with MFA and least-privilege roles.

---

References:

• Step 1 - Prevent user sign-in and block access to Microsoft 365
• Respond to a compromised cloud email account
• About administrator roles in the Microsoft 365 admin center
• Design authentication and credential strategies
• Security rapid modernization plan
• Tenant access recovery