If you use Microsoft365 (formerly know as Office365), you may find yourself in a situation where you need to remove a user’s access.  In the event an individual leaves your organization, it is vital to your continued security to make sure this user’s access is terminated effectively.  If your organization relies on simply changing the user’s password, there is still the potential for a user to retain access to their account.  The reason for this has to do with how credentials are stored in mail clients.  Programs such as Outlook, Apple Mail and Android Mail all use tokens to store a user’s credentials.  This is what prevents you from having to enter your password every time you open your mail client.  Even if a password is changed, these tokens remain in use, providing continued access to the email account.

To properly secure access to your Microsoft365 account after a user has left, it is recommended that you perform these steps immediately following changing the user’s password:

• Log into your Microsoft365 admin account

• Select Users > Active Users

• Click the account in question to open the settings window

• Select the OneDrive tab

• Click Initiate sign-out

This function will log the user account out of any sessions that they are connected to.  As long as you have changed the password prior to performing this task, the user will not be able to log back in.  If you use multi-factor authentication, it is recommended that you block the user’s access through this service as part of changing their password.