tdannecy@gmail.com

Force log out all users from O365 with Powershell

#Powershell, AzureAD, Entra

I company I work for just completed an O365 tenant migration. After email had been moved to a new Exchange tenant, we noticed that users continued to use their Outlook apps on their phones. They were also continuing to chat on the old tenant's Teams and were using all of the Office apps on the web using their cached logins.

This caused a headache. Some users were in the new environment with the correct domain—others didn't notice the “@onmicrosoft.com” and were having issues with SSO apps that had been migrated.

We needed to revoke all of the cached login tokens force log out all users. This quick Powershell command did the trick:

Import-Module -Name "AzureAD"
Connect-AzureAD

# Get all users
$users = Get-AzureAdUser -All $true

# Revoke all refresh tokens for each user
$users | ForEach-Object {
    Revoke-AzureADUserAllRefreshToken -objectID $_.objectID
}

UPDATE: August 16, 2024: The Azure AD PowerShell module is retired, so you will need to use the MS Graph module instead:

Import-Module -Name 'Microsoft.Graph.Users.Actions'
Connect-MgGraph -Scopes 'User.RevokeSessions.All'

# Get all users
$users = Get-MgUser -All

# Revoke all refresh tokens for each user
$users | ForEach-Object {
    Revoke-MgUserSignInSession -UserId $_.Id
}

After this runs, all users will be required to log in again. This forced them to go into the new tenant and solved our SSO issues.

Discuss...