How to Revoke Sessions Azure in a Hybrid Environment

Revoking sessions in Azure can be a bit tricky, especially in a hybrid environment. In a hybrid environment, you have to consider both on-premises and cloud-based resources.

To revoke sessions in Azure, you need to know that Azure Active Directory (Azure AD) sessions are stored in the Azure AD token cache. This cache is stored on the client device, such as a Windows or macOS machine.

Requiring multi-factor authentication (MFA) for users can help prevent unauthorized access to Azure resources. MFA adds an extra layer of security, making it harder for attackers to gain access to your Azure resources.

To revoke sessions, you can use the Azure AD PowerShell module to remove the session tokens from the Azure AD token cache. This can be done by running the command: Remove-AzureADUserAllSessionTokens.

Revoke refresh tokens to terminate active user sessions and force re-authentication. This is done through Microsoft Entra ID, but be aware that authentication will fail if the user account was previously disabled.

You can use the "AS-Revoke-Entra-ID-User-Session-From-Incident" playbook to revoke sessions from a Microsoft Sentinel Incident.

Session tokens, on the other hand, can't be directly revoked by Microsoft Entra ID. The application that issued the session token must revoke it based on its own authorization policies.

Here are some key differences between refresh tokens and session tokens:

If you need to revoke a user's access rights, revoke their refresh token and wait for the access token to expire. The lifetime of the refresh token is 90 days by default, so it's best to revoke it during this time.

To manage an Azure Entra environment, you'll want to disable the user in Microsoft Entra ID. This involves running the command "Update-MgUser -UserId $User.Id -AccountEnabled:$false" after getting the user's ID with "Get-MgUser -Search UserPrincipalName:'[email protected]' -ConsistencyLevel eventual".

To revoke a user's Microsoft Entra ID refresh tokens, use the command "Revoke-MgUserSignInSession -UserId $User.Id". This step is crucial for securing your environment.

You can also disable a user's devices by getting the device ID with "Get-MgUserRegisteredDevice -UserId $User.Id" and then running "Update-MgDevice -DeviceId $Device.Id -AccountEnabled:$false".

Microsoft Entra Environment is a key aspect of managing user access and device security. To disable a user in Microsoft Entra ID, you'll need to use the Update-MgUser cmdlet with the AccountEnabled parameter set to $false.

You can find the user's ID by searching for their UserPrincipalName using the Get-MgUser cmdlet. For example, if you're looking for the user [email protected], you would use the following command: Get-MgUser -Search UserPrincipalName:'[email protected]' -ConsistencyLevel eventual.

Once you have the user's ID, you can use the Update-MgUser cmdlet to disable their account. Here's a step-by-step process:

1. Disable the user in Microsoft Entra ID.

2. Revoke the user's Microsoft Entra ID refresh tokens using the Revoke-MgUserSignInSession cmdlet.

3. Disable the user's devices using the Get-MgUserRegisteredDevice and Update-MgDevice cmdlets.

It's worth noting that specific roles can perform these steps, and you can find more information on those roles in the Microsoft Entra built-in roles documentation.

Microsoft Graph PowerShell is the recommended tool for interacting with Microsoft Entra ID, and it's available on PowerShell 7. If you're currently using Azure AD PowerShell, be aware that it's planned for deprecation on March 30, 2024.

You can manage user access in a hybrid environment by using Azure AD Connect to synchronize on-premises Active Directory with Azure AD. This allows you to control access to cloud resources using the same identity management tools you're already familiar with.

Azure AD Connect supports password hash synchronization, pass-through authentication, and federation, giving you flexibility in how you manage user identities.

In a hybrid environment, users can access cloud resources using the same username and password they use for on-premises resources.

Azure AD Connect also enables you to use conditional access policies to control access to cloud resources based on user identity and device characteristics.

When access is revoked, admins have taken steps to ensure the user can't gain new tokens for any application tied to Microsoft Entra ID. This is a crucial step in managing user access and preventing unauthorized access.

For applications using access tokens, the user loses access when the access token expires. This means that the user's access will be cut off once the token has reached its expiration date.

For applications that use session tokens, the existing sessions end as soon as the token expires. This can happen quickly, depending on the frequency of synchronization between the application and Microsoft Entra ID.

If the disabled state of the user is synchronized to the application, the application can automatically revoke the user's existing sessions if it's configured to do so. This is a convenient feature that saves admins time and effort.

Here's a summary of the two scenarios:

To create an app registration, navigate to the Microsoft Azure Active Directory app registration page and click "New registration". Enter "AS-Revoke-Entra-ID-User-Session-From-Incident" for the name, and all else can be left as is.

The app registration will be created, and you'll be redirected to the "Overview" page. Take note of the "Application (client) ID" under the "Essentials" section, as this will be needed for deployment.

To add permissions for the app registration to call the Microsoft Graph API, click "API permissions" under the "Manage" section, then click "Add a permission".

Session Tokens (Cookies) are a common way for browser-based applications to authenticate users. Most applications use them instead of access and refresh tokens.

When a user authenticates to an application via Microsoft Entra ID, they receive two session tokens: one from Microsoft Entra ID and another from the application.

The application's session token governs access to the application, and the user is only affected by the application's authorization policies.

Reevaluation of Microsoft Entra ID's authorization policies usually happens silently, but the frequency depends on the application's configuration. It's possible that the app may never send the user back to Microsoft Entra ID as long as the session token is valid.

A session token can only be revoked by the application revoking access based on its own authorization policies. Microsoft Entra ID can't directly revoke a session token issued by an application.

To create an app registration, start by navigating to the Microsoft Azure Active Directory app registration page at https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade.

Click "New registration" to begin the process.

Enter "AS-Revoke-Entra-ID-User-Session-From-Incident" for the name, and all else can be left as is.

Click "Register" to create the app registration.

Once created, you will be redirected to the "Overview" page, where you'll need to note the "Application (client) ID" for deployment purposes.

This ID will be crucial for your app's functionality.

To add permissions for the app registration, click "API permissions" under the "Manage" section of the left menu blade.

Then, click "Add a permission" to proceed.

Select the "Microsoft Graph" API from the "Select an API" pane, and click "Application permissions".

Search for "User.ReadWrite.All" and click the option matching the search.

Click "Add permission" to assign the permission.

Admin consent will be needed before your app registration can use the assigned permission.

Click "Grant admin consent for (name)" to proceed.

Finally, a client secret will need to be generated for the app registration.

Click "Certificates & secrets" under the "Manage" section of the left menu blade, then click "New client secret".

To create an Azure Key Vault Secret, choose a name for the secret, such as "AS-Revoke-Entra-ID-User-Session-From-Incident--App-Registration-Client-Secret", and enter the client secret copied in the previous section.

The name should be unique and descriptive, as it will help you identify the secret later on.

All other settings can be left as is, and then click "Create" to add the secret to the vault.

Once your secret has been added to the vault, navigate to the "Access policies" menu option, but leave this page open for now.

You'll need to return to this page once the playbook has been deployed, as described in the next section.