Target
This applies to customers implementing federation with HENNGE Access Control in Microsoft 365.
Purpose
Disconnect Microsoft 365 (Microsoft Entra ID) Modern Authentication (Advanced Authentication) sessions from administrators and request reauthentication for users. Common use cases include enforcing login to Microsoft 365 via HENNGE Access Control after federation is established.
Notes
1. The content of this article is based on Microsoft's product as of November 2023. It may change without notice due to updates or specification changes.
2. These steps are performed using onmicrosoft.com domain users.
3. It is recommended to announce to users in advance as needed.
Detailed Procedure Explanation
Pre-checks
1. The Microsoft Graph PowerShell SDK module must be installed on PowerShell. Please make sure the following is completed in advance.
Install Microsoft Graph PowerShell SDK
1. Connect to Microsoft Graph
Launch Windows PowerShell with administrator privileges and execute the following command:
Connect-MgGraph -Scopes "Domain.ReadWrite.All","Directory.AccessAsUser.All" -ErrorAction Stop
A login dialog will appear, so please continue the login process with an account that has global administrator permissions in Microsoft 365.
2. Disconnect Individual User's Modern Authentication Session
To disconnect an individual user's Modern Authentication session, execute the following command:
※ After executing the command, it may take some time for the disconnection to take effect.
Revoke-MgUserSignInSession -UserId "Username"
Example:
If the target user is "user@example.com," the command would be as follows:
Revoke-MgUserSignInSession -UserId user@example.com
3. Disconnect Modern Authentication Sessions for All Users
Execute the following command:
※ After executing the command, it may take some time for the disconnection to take effect.
foreach($user in Get-MgUser -ALL){Revoke-MgUserSignInSession -UserId $user.id}
4. Disconnect from Microsoft Graph
Execute the following command to disconnect from Microsoft Graph.
Disconnect-MgGraph
※ The [Connect-MgGraph] command will retain previously authenticated credentials without requiring sign-in the next time you launch it. Therefore, to ensure sign-out, [Disconnect-MgGraph] needs to be executed.