Revoke-SPOUserSession is No Longer Fit for Purpose

Microsoft’s announcement in message center notification MC903785 (3 October 2024) that they will retire the Revoke-SPOUserSession cmdlet (in the SharePoint Online PowerShell module) in early November 2024 was expected. There’s no purpose served by having a workload-specific cmdlet to revoke user access to an app when the job can be done across all workloads with a single cmdlet built for the job. That cmdlet is Revoke-MgUserSignInSession, which I discuss in an article about the right way to revoke access from Entra ID accounts.

The Roots of Revoke-SPOUserSession

Microsoft introduced the Revoke SPOUserSession cmdlet in January 2016. That’s an aeon in cloud terms. Teams hadn’t yet appeared, Azure AD delivered a much simpler directory and authentication service, with no notion of features like continual access evaluation (CAE), and SharePoint Online wasn’t trying to deal with nearly 4 billion files created daily.

At the time, the primary access to SharePoint Online was through the browser (now I suspect primary access is via Teams), and I’m sure that it made perfect sense to create a cmdlet to force the sign-out of a user from SharePoint Online across all devices.

Retiring Revoke-SPOUserSession

Microsoft says that their telemetry indicates that only a few organizations are active users of Revoke-SPOUserSession. I’m surprised that even a few tenants exist that might still use the cmdlet because better options have existed for some time, cumulating with the Revoke-MgUserSignInSession cmdlet the Microsoft Graph PowerShell SDK.

The critical difference is that the SDK cmdlet forces a sign-out from all Microsoft 365 sessions, not just SharePoint Online. It’s an essential part of any administrator action to secure an account because of suspected compromise or because an employee is leaving the organization. If you’re in the category of those who have scripts that use Revoke-SPOUserSession, it’s time tio change before the curtain comes down.

Securing an Employee Account

All of which brings me to the second annual PowerShell script-off at TEC 2024 (in Dallas). It’s quite a challenge to strut your PowerShell skills in front of a sometimes-boisterous crowd, and I admire the folks (Figure 1) who stepped up to take part.

Figure 1: Intense coding at the TEC 2024 PowerShell script-off (and yes, the glass of wine helps)

The first challenge was to write a script to automate the securing of my account (I make a great victim) after my forced ejection from the organization at 9AM on Monday. You’d imagine that this is a well-trodden path with many sample scripts available on the internet, so it was surprising the difficulty some had with the challenge. Competitors couldn’t use ChatGPT and Microsoft 365 Copilot to avoid any hint of generative AI spoiling the responses, and it was interesting to see how people approached the issue without that kind of help.

Most immediately focused on disabling the Microsoft 365 account. This is undoubtedly an important step, but there’s more to be done, like:

Forcing a sign out with Revoke-MgUserSignInSession is a great next step, but only after changing the account password. You don’t want to have someone be prompted to reauthenticate because their access tokens are invalid only to be able to sign in again because their account password is changed. Yes, disabling the account should stop the sign-in, but let’s be sure.

Securing devices is another step. It all depends on what device management software a tenant uses, but it should be possible to wipe corporate data from devices to prevent ex-employees having continued access to local copies. Sensitivity labels help here by making sure that even if an ex-employee takes copies of sensitive files, they won’t be able to authenticate and gain the right to access the content. Sensitivity labels put a stop to the tactic often seen when people just about to leave exfiltrate large amounts of confidential documents and email (in PSTs) to removeable devices. Exfiltration might work, but once the ex-employee can no longer authenticate, the confidential material becomes no more than an interesting collection of bytes.

It’s Hard to Revoke Access

No one quite delivered a script to totally secure an ex-employee’s account in the 20 minutes allotted for the task (one solution was delivered that removed access from every account in the tenant). Even with access to the internet, it takes time to find, assess, and decide what code to base a solution on. The difficulty is compounded when people are looking over your shoulder to criticize every move, or even when you find a great cmdlet to revoke access that Microsoft’s just about to deprecate…

Learn more about how the Microsoft 365 applications really work on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.