Repository Link - Use it yourself!

RevokeUserSessions

Revoke User Sessions is a script that can be used to revoke user sessions within Entra ID pragmatically by inputting a CSV file.

The script uses the the Microsoft.Graph module to achieve this and will automatically install this to the local user scope if it has not already been installed.

This script comes with an optional functionality that allows a tailored warning message if the number of successfully revoked users reaches a threshold, and will require user interaction to continue:

[*] Threshold of action: 6. <Custom Message>
[input] Continue? (y/n): y

Running the script

The script expects input of a CSV file that contains a column named ‘userPrincipalName’. This column should contain the full User Principal Name for the accounts sessions should be revoked against.

If you wished to revoke sessions for all users within Entra ID, export all users from the Azure Portal and point this script at the exported file.

Script Parameters

The script accepts the following:

• InputFile: The filename of the CSV to input. By default, this will look for ‘revoke_upns.csv’
• ForceRevoke: Accepts $True or $False. This will ignore any warnings messages configured within the script and will not prompt for any user interaction.
• DisconnectGraphFirst: Accepts $True or $False. Defaults to $False. It is advised to set this to $True if working across multiple Entra ID tenants to ensure the Microsoft.Graph module is connected to the correct tenant.

Configuring custom warnings and thresholds

Within the published script, around line 151, there is a list of objects (InteractiveWarningThreshold) that can be used to configure interactive warning thresholds. Examples have been left inside the script. Each entry in this list is a warning with the following format:

    [pscustomobject]@{WarningText='<YourWarning>'; UserThreshold=4; ThresholdAccepted=$False}

Note: InteractiveWarningThreshold is a global variable so other script functions can update it.

Configuring Authentication

The script requires the following access:

• The ability to use Microsoft Graph Command Line tools within Entra ID. Many organisations will limit usage of this Application to specific users via Conditional Access. If you receive errors trying to authenticate, check sign in logs for the user account being used.
• The scope User.ReadWrite.All. The ability to write to a user is required for session revoking. This is applied when you authenticate to Graph.

Authentication occurs in the function AuthenticateGraph. The script is currently written for interactive user authentication. Changing this (such as using an app registration) can be achieved by making changes within this function.

Error handling

Errors are logged to the current working directory of the script in a file named RUS_Errors_<time>.txt.

EOF