Target
Customers who have implemented federation with HENNGE Access Control in Microsoft 365 are the target audience.
Purpose
The purpose is to disconnect sessions of Modern Authentication (Advanced Authentication) in Microsoft 365 (Microsoft Enterprise ID) from the administrator and request re-authentication from the user.
This is typically done when enforcing login to Microsoft 365 via HENNGE Access Control after federation has been implemented.
Notes
1. The content of this article is based on Microsoft's product information as of November 2024. It may be subject to change without notice due to updates or specification changes thereafter.
2. This procedure should be performed using onmicrosoft.com domain users.
3. It is recommended to announce to users in advance as needed.
Procedure
Preparation
1. The Microsoft Graph PowerShell SDK module must be installed in PowerShell. Please make sure the following steps have been completed in advance.
Installing Microsoft Graph PowerShell SDK
1. Connect to Microsoft Graph
Launch Windows PowerShell with administrator privileges and run the following command:
Connect-MgGraph -Scopes "Domain.ReadWrite.All","Directory.AccessAsUser.All" -ErrorAction Stop
A login dialog will appear, please continue the login process with an account that has global administrator rights in Microsoft 365.
2. Disconnect Modern Authentication Sessions
It is possible to disconnect sessions on a user-by-user basis, domain-wide, or tenant-wide.
* After executing each command, it may take some time for the disconnection to actually occur.
2.1. Disconnect Modern Authentication Session on a User-by-User Basis
Revoke-MgUserSignInSession -UserId "Username"
Example: If the target user is "user@example.com", the command would be as follows:
Revoke-MgUserSignInSession -UserId user@example.com
2.2. Disconnect Modern Authentication Sessions for All Users in a Domain
To disconnect Modern Authentication sessions for all users in a domain, run the following command:
foreach($user in Get-mguser -ALL | where { ($_.userprincipalname-like"*@DomainName")} ){Revoke-MgUserSignInSession -UserId $user.id}
Example: If the target domain is "example.com", the command would be as follows:
foreach($user in Get-mguser -ALL | where { ($_.userprincipalname-like"*@example.com")} ){Revoke-MgUserSignInSession -UserId $user.id}
2.3. Disconnect Modern Authentication Sessions for All Users in a Tenant
To disconnect Modern Authentication sessions for all users in a tenant, run the following command:
foreach($user in Get-MgUser -ALL){Revoke-MgUserSignInSession -UserId $user.id}
3. Disconnect from Microsoft Graph
Run the following command to disconnect from Microsoft Graph.
Disconnect-MgGraph
* With the [Connect-MgGraph] command, the previously authenticated credentials are retained without being prompted to sign in the next time you start it up. Therefore, to ensure the sign-in is disconnected, it is necessary to execute [Disconnect-MgGraph].