Step 1 - Prevent a former employee from logging in and block access to Microsoft 365 services
If you need to immediately prevent a user's sign-in access, reset their password. When you do this, you force a sign out of the user from Microsoft 365.
Note
You need to be a global administrator to initiate sign-out for other administrators. For non administrator users, you can use a User Administrator or a Helpdesk Administrator user to perform this action. Learn more about the Admin Roles
- In the admin center, go to the Users > Active users page.
- Select the box next to the user's name, and then select Reset password.
- Enter a new password, and then select Reset.
- On the Reset password page, choose whether to automatically create the new password or create one yourself. You can also email the new password to yourself. Make sure you don't email the password to the former employee.
- Select Reset password and then Close.
- Select the user's name again, and on the Account tab, select Sign out of all sessions.
Within an hour - or after they leave the current Microsoft 365 page they're on - they're prompted to sign in again. An access token is good for an hour, so the timeline depends on how much time is left on that token, and whether they leave the current webpage.
Important
If the user is in Outlook on the web, just clicking around in their mailbox, they may not be kicked out immediately. As soon as they select a different tile, such as OneDrive, or refresh their browser, the sign-out is initiated.
To use PowerShell to sign out a user immediately, see the Revoke-MgUserSignInSession cmdlet.
For more information about how long it takes to get someone out of email, see What you need to know about terminating an employee's email session.
Block a former employee's access to Microsoft 365 services
Important
Blocking an account can take up to 24 hours to take effect. If you need to immediately prevent a user's sign-in access, follow the steps above and reset their password.
- In the admin center, go to the Users > Active users page.
- Select the name of the employee that you want to block, and under the user's name, select the symbol for Block this user and then select Block sign-in.
- On the Block sign-in page, select Block this user from signing in and then Save changes.
Block a former employee's access to email (Exchange Online)
If you have email as part of your Microsoft 365 subscription, sign in to the Exchange admin center and follow these steps to block your former employee from accessing their email.
Go to the Exchange admin center > Recipients > Mailboxes.
Select the former employee's mailbox and then under Email apps & mobile devices, select Manage email apps settings.
On the Manage email apps settings page, turn Off the slider for all the options:
- Outlook desktop (MAPI)
- Exchange web services
- Mobile (Exchange ActiveSync)
- IMAP
- POP3
- Outlook on the web
Select Save.
Related content
Exchange admin center in Exchange Online (article)\
Restore a user (article)