Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Entra PowerShell offers IT administrators a powerful and streamlined way to offboard users securely. This article describes how to terminate active sessions and tokens. It also shows how to disable user accounts and devices, reset passwords, remove device ownership, and manage deleted user records. By following these steps, you can ensure that departing users lose access to company resources immediately, helping maintain organizational security and compliance.
These actions help standardize offboarding, minimize risk, and simplify user lifecycle management.
Invalidate active sessions and tokens
Connect-Entra -Scopes 'Directory.AccessAsUser.All'
Revoke-EntraUserAllRefreshToken -UserId 'SawyerM@contoso.com'
Revoking authentication tokens invalidates them, thus preventing reaccess through cached logins or remembered sessions.
Disable a user
Connect-Entra -Scopes 'User.ReadWrite.All'
Set-EntraUser -UserId 'SawyerM@contoso.com' -AccountEnabled $false
Disabling the account instantly blocks the user from accessing company resources, applications, and data.
Reset a user's password
Connect-Entra -Scopes 'Directory.AccessAsUser.All'
$securePassword = ConvertTo-SecureString 'Some-strong-random-password' -AsPlainText -Force
Set-EntraUserPassword -ObjectId 'SawyerM@contoso.com' -Password $securePassword
Resetting the user's password ensures they can't use their old credentials to access company resources before their account is disabled or deleted. This process prevents unauthorized access and potential misuse of the account.
Remove device ownership
Connect-Entra -Scopes 'Directory.AccessAsUser.All'
$device = Get-EntraDevice -Filter "DisplayName eq 'Sawyer Laptop'"
$owner = Get-EntraDeviceRegisteredOwner -DeviceId $device.Id
Remove-EntraDeviceRegisteredOwner -DeviceId $device.Id -OwnerId $owner.Id
Removing device ownership during offboarding prevents unauthorized access and ensures security compliance.
Disable a user's device
Connect-Entra -Scopes 'Directory.AccessAsUser.All', 'Device.ReadWrite.All'
$device = Get-EntraDevice -Filter "DisplayName eq 'Woodgrove Desktop'"
Set-EntraDevice -DeviceObjectId $device.ObjectId -AccountEnabled $false
Disabling a user's device helps safeguard the organization's security, data, and resources.
Remove a user account
Connect-Entra -Scopes 'Directory.AccessAsUser.All'
Remove-EntraUser -UserId 'SawyerM@contoso.com'
Note
You can reclaim the user's assigned software and service licenses. See Manage user license for details.
Manage deleted users
List recently deleted users.
Connect-Entra -Scopes 'User.ReadWrite.All' Get-EntraDeletedUser -All | Select-Object Id, UserPrincipalName, DisplayName, AccountEnabled, DeletedDateTime, DeletionAgeInDays, UserType | Format-Table -AutoSizeThe output lists deleted users.
Id UserPrincipalName DisplayName AccountEnabled DeletedDateTime DeletionAgeInDays UserType -- ----------------- ----------- -------------- --------------- ----------------- -------- dddddddd-3333-4444-5555-eeeeeeeeeeee {id}AveryS@contoso.com Avery Smith False 2/12/2025 1:15:34 PM 3 MemberRetrieve deleted users sorted by deletion date.
Connect-Entra -Scopes 'User.ReadWrite.All' Get-EntraDeletedUser -All | Sort-Object -Property deletedDateTime -Descending