Disabled Entra identity user, still able to log in to their M365 Apps? question from a client today, they had a case of a user who was leaving the organisation and to this end their account had been disabled and password changed.
It was a couple of days later when this client was surprised to see that the “disabled” user was still able to authenticate and delete some files and change their password, weird right?
A couple of important points to note:
- Organisation is using Windows Hello for Business (WHfB) for Multifactor authentication and simplified logon.
- User was using a device had had previously authenticated
For some background on WHfB, it is designed to make a users experience better from a desktop device, whilst improving security by not requiring a password to be entered when a user authenticates.
This enables an organisation to not have a frequent password change policy anymore, because as we all know regular password changes ends up making passwords easily compromised because we are human and can not remember random phrases well.
Using Entra Identities Identity protection (a Plan 2 feature) will ensure when a users email address and password have been detected on the “dark web”, they will be required to reset their password at this time.
There is further information about Identity Protection here.
Second point, the previously authenticated device had a valid Primary Refresh token (PRT), a PRT is designed to reduce the amount of times a user is required to re-authenticate and improves the user experience (in other words a good usability feature).
Solution – Disabled user able to login?
Firstly this ‘issue’ will only affect devices that are allowed to login and existing users, the PRT is not valid on another device, so this potential vulnerability should only affect organisation users, though this is still not good if they are on their way out and need to be blocked from access.
- When a user leaves the organisation make sure that their device has been returned, ensure also that their mobile device has the corporate apps removed, this would normally be managed via an MDM solution like Microsoft Intune.
- If they still have their device then a more involved process is the expiry of the PRT to ensure that they can not authenticate again.
The following reddit post is by far the best description of what to do to block a user from being able to sign in with a valid PRT:
Additional considerations
You may simply want to reduce the refresh time for all devices, to change the refresh time go here: https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-session-lifetime#configuring-authentication-session-controls
For supported applications Microsoft have a newish feature called Continuous Access evaluation, this will prevent access when a user is disabled in Entra ID for specific apps (mainly M365) and is the most desirable way to handle this: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation
Summary
Security and usability are contrasting aspects of business, without both a business can not run safely or efficiently. Primary Refresh Tokens are there to make our business life easier as is Windows Hello for Business and together these are useful for enhancing organisational security whilst improving the user experience.
When a user leaves an organisation, remove their devices from them physcially, if you can not do this then remove them from their apps and remote wipe their corporate devices. Personal devices should also be registered in Intune and these should have the corporate apps and data removed as well.
A ‘personal’ registered device in Microsoft Intune should only remove the corporate apps when the user leaves, remember the difference between corporate and personal devices and how these are managed by Intune.
As always if you wish to reach out to me then please go here.
Leave a Reply