If you are using SharePoint online in your organization, it is wise to know about the below issue (or feature?).
If you have followed Microsoft best practice and have added your company zone to the trusted zones and also instructed the users to tick the “remember my password” it seems like that the cookie generated during this procedure would be valid even if you disable this user and revoke their login permissions (unless your process is to delete AD/O365 accounts immediately).

Steps you would/can take to decommission a user account
Environment setup: AD password synced
Change the user password
Disable the account
Remove license
Block “sign in” on Office 365 [update: This will stop access after 1 hour]

SharePoint online access will still work even though you do any of the steps above!!

How do I block  access?
You would have to remove access from the SharePoint site level permissions. Depending on if you are using security groups or actual user accounts to grant access, we would have to remove the terminated user from the group and then force a sync to azure AD.

Scenarios not tested: ADFS SSO environment, Deleting the account (this should work as then SharePoint site permissions would be removed too)

Update: I have logged a ticket with Microsoft regarding this issues and will upadate this post when I hear back from them.

Update2: MS came back with the below. So you could use the block sign in option but it will need about an hour to take effect.

Once admin blocked the user in the MSODS (O365 global AD), the msonline-AccountEnabled for that user in MSODS will be updated to false for that user , it need about 1 hour for syncing the msonline-AccountEnabled value to SPODS (SharePoint online AD). It is a  by design behavior according to the feedbacks from back-end team.

 

Screenshots:
Generated cookie details (IECookiesView.exe)
01102015-cookie

Remove User from the SPOnline Site permissions: access will be denied
01102015-deni

One Thought on “Office 365 SharePoint online, Revoking user access issues

  1. Pingback: see this

Leave a Reply

Your email address will not be published.

Post Navigation