Target Users
Users who are using a cloud user sync tool from HENNGE Access Control to Microsoft 365.
Purpose
If users are using a cloud user sync tool from HENNGE Access Control to Microsoft 365, newly created users in Microsoft 365 are required to log in frequently due to the some user attribute, refreshTokensValidFromDateTime, in Microsoft 365.
It is confirmed that users have to log in every 12 hours if they miss that specific value and the way to input that value by PowerShell Graph command is shown in this article.
Cautions
1. This article is written based on HENNGE One and Microsoft 365 specifications as of June 2023. Specifications may change without announcement in future.
※ Especially, commands of 2.2 and 3.2 in this article are based on Microsoft Graph Beta version and may change in future.
2. Microsoft 365 global admin account is required for the procedure.
3. Users have to log in again after a command execution of 2.3 or 3.3.
Detail Procedure
1. Prior confirmation
1.1. Microsoft Graph PowerShell SDK module is required. Please refer to the following article and install that module.
Installation of the Microsoft Graph PowerShell SDK
1.2. Open PowerShell with admin privilege and connect to Microsoft 365 with the following command.
Connect-MgGraph -Scopes "User.ReadWrite.All"
※ Microsoft 365 log in screen will appear after that command. Please log in Microsoft 365 with Microsoft 365 global admin.
※ If red character error is shown in PowerShell after command execution, please refer to the following article to solve that error.
Workaround for TLS 1.0 / TLS 1.1 errors when running Microsoft Graph PowerShell
2. How to input value for an individual user
2.1. Select Microsoft Graph PowerShell Beta version with a following command.
Select-MgProfile -Name "beta"
2.2 Check if a target user's refreshTokensValidFromDateTime value is null or not with the following command.
Please input Microsoft 365 UserPrincipalName as actual value of "USER ID."
Get-MgUser -UserId "USER ID" | select-object UserPrincipalName, refreshTokensValidFromDateTime
Example :
If a target user's UserPrincipalName is user@example.com, the actual command is the below:
Get-MgUser -UserId user@example.com | select-object UserPrincipalName, refreshTokensValidFromDateTime
Example :
2.3. If the refreshTokensValidFromDateTime is null, please execute a following command to input command execution data&time in that value. If it succeeded, "True" is shown in PowerShell.
Please input Microsoft 365 UserPrincipalName as actual value of "USER ID."
Revoke-MgUserSign -UserId "USER ID"
Example :
If a target user's UserPrincipalName is user@example.com, the actual command is the below:
Revoke-MgUserSign -UserId user@example.com
2.4. Please run the command of 2.2 again and check if the target user's refreshTokensValidFromDateTime attribute has date&time value.
Example Screen:
2.5. Disconnet PowerShell from Microsoft 365 with a following command.
Disconnect-MgGraph
3. How to input value for all target users
3.1. Select Microsoft Graph PowerShell Beta version with a following command.
Select-MgProfile -Name "beta"
3.2. Check target users whose refreshTokensValidFromDateTime attribute is null with a following command.
Get-MgUser -All | where{ $_.refreshTokensValidFromDateTime -eq $null }
※ If there is no target user listed, please go to 3.5. and disconnect PowerShell from Microsoft 365.
※ If you want to check refreshTokensValidFromDateTime of specific domain users, please refer to the following command and execute it with changing 'example.com' part to actual domain name.
Get-MgUser -All | where{ $_.refreshTokensValidFromDateTime -eq $null } | where{ $_.UserPrincipalName -like ( "*@example.com" ) }
3.3. Set date&time value in refreshTokensValidFromDateTime of the target users with a following command.
※ True is displayed on PowerShell as much as the number of target users.
foreach($user in Get-MgUser -All | where{ $_.refreshTokensValidFromDateTime -eq $null }){Revoke-MgUserSign -UserId $user.id}
※ If you want to set value in refreshTokensValidFromDateTime of specific domain users, please refer to the following command and execute it with changing 'example.com' part to actual domain name.
foreach($user in Get-MgUser -All | where{ $_.refreshTokensValidFromDateTime -eq $null } | where{ $_.UserPrincipalName -like ( "*@example.com" ) }){Revoke-MgUserSign -UserId $user.id}
3.4. Please run the command of 3.2 again and check if no target user is listed whose refreshTokensValidFromDateTime is null.
3.5. Disconnet PowerShell from Microsoft 365 with a following command.
Disconnect-MgGraph