ayi <t>We have terminated an employee who was a Microsoft 365 admin and we need to immediately secure the tenant and reset MFA access.</t>
ayi <t>Follow these steps to immediately secure the tenant and reset MFA access after terminating an admin:<br/> <br/> Reset the terminated admin's password and sign out of all sessions<br/> In the Microsoft 365 admin center, go to Users > Active users<br/> Select the terminated admin's account and choose Reset password. Configure a strong random password and require password change on next sign-in if the account will be reassigned later<br/> After resetting the password, select the user again, go to the Account tab, and select Sign out of all sessions. This invalidates existing sessions within about an hour, or sooner if they navigate away or refresh<br/> For immediate sign-out via PowerShell, use:<br/> Revoke-MgUserSignInSession -UserId <br/> ```<br/> <br/> 2. **Revoke all active sessions using Microsoft Graph PowerShell** (strongly recommended for a compromised/terminated admin)<br/> - Run PowerShell as administrator and set execution policy:<br/> ```powershell<br/> Set-ExecutionPolicy RemoteSigned<br/> ```<br/> - Install Graph modules if needed:<br/> ```powershell<br/> Install-Module Microsoft.Graph.Authentication<br/> Install-Module Microsoft.Graph.Users.Actions<br/> ```<br/> - Connect with the required scope:<br/> ```powershell<br/> Connect-MgGraph -Scopes User.RevokeSessions.All<br/> ```<br/> - Revoke sessions for the terminated admin:<br/> ```powershell<br/> Revoke-MgUserSignInSession -UserId <br/> ```<br/> <br/> 3. **Reset or remove MFA methods and app passwords for the terminated admin**<br/> - Ensure the account's MFA methods are cleared or re-registered by another admin so the former employee cannot approve sign-ins<br/> - If app passwords were used (for legacy clients), ensure they are deleted and not reused<br/> <br/> 4. **If the account is synced or federated, secure it on-premises**<br/> - Reset the password in AD twice to mitigate pass-the-hash risk using `Set-ADAccountPassword`<br/> - If federated, change the password in the on-premises identity system and notify the appropriate identity/security admin<br/> <br/> 5. **Enable and enforce MFA for remaining admins and critical accounts**<br/> - Ensure all remaining Global Administrators have MFA enforced<br/> - Use strong, phishing-resistant MFA where possible<br/> <br/> 6. **Review and tighten admin role assignments**<br/> - Confirm the terminated admin's account is removed from all privileged roles<br/> - Follow least-privilege guidance and keep Global Administrators minimal<br/> - Ensure at least one other privileged account exists to reset admin passwords and MFA if needed<br/> <br/> 7. **Implement or verify self-service password reset (SSPR) and MFA registration policies**<br/> - Enable SSPR and combined security information registration<br/> - Ensure admins are registered with multiple MFA methods to avoid single-device dependency<br/> <br/> 8. **If tenant access is at risk**<br/> - If no remaining Global Admin can sign in, follow Microsoft's tenant access recovery process via Microsoft 365 support with identity verification</t>
