How to Block Microsoft 365 User Accounts Using PowerShell

This article discusses how to use Windows PowerShell to block Microsoft 365 user accounts that pose a security threat. You can:

• Block a user account individually.
• Block user accounts in bulk (or in large numbers).

There are two PowerShell modules for blocking user accounts:

• MsolService PowerShell Module
• AzureAD PowerShell Module

Note: AzureAD is the preferred PowerShell module for blocking user accounts because it forces user sign-outs. With MsolService, if your users are signed in when the block is implemented, it comes into force only after they sign out – that is, for their subsequent sign-ins.

For those who like to watch and learn, check out the 6-minute video at the end of this article, which is a shortened version of this content.

Using the MsolService Module

You can use the MsolService module to block a user account individually or in bulk.

Blocking User Accounts Individually Using the MsolService Module

Block a user account by running the following cmdlet, also shown in Figure 1:

Set-MsolUser -UserPrincipalName "test1@w4l0s.onmicrosoft.com" -BlockCredential $true

Here’s a brief explanation of how the preceding script works:

• Use the Set-MsolUser cmdlet
• Pass in the -UserPrincipalName of the user that you want to block
• Set -BlockCredential parameter to $true

Blocking User Accounts in Bulk Using the MsolService Module

Block user accounts in bulk by importing them from a CSV file, and then running the Set-MsolUser cmdlet as shown below:

• $blockUsers = Import-Csv "c:/users/d/downloads/block_users.csv" [storing the CSV details in a PowerShell variable $blockUsers for ease of use]
• forEach($user in $blockUsers){Set-MsolUser -UserPrincipalName $user.UserPrincipalName -BlockCredential $true} [running a for loop over the $blockUsers variable, running the Set-MolUser cmdlet for every user in the loop, passing their <userprincipalname> to the -UserPrincipalName parameter, and setting the -BlockCredential parameter to $true value.

Notes:

• To unblock blocked user accounts individually, pass $false value to the -BlockCredential parameter:  
  Set-MsolUser -UserPrincipalName [sign-in name of user account] -BlockCredential $false
• To unblock user accounts in bulk, run the following cmdlet:  
  Get-Content "C:\My Documents\Accounts.txt" | ForEach { Set-MsolUser -UserPrincipalName $_ UserPrinicipalName -BlockCredential $false }
• To check the blocked status of a user account, run the following cmdlet:  
  Get-MsolUser -UserPrincipalName [userprincipalname] | Select DisplayName,BlockCredential

Using the AzureAD Module

You can use the AzureAD module to block a user account individually or in bulk.

Blocking User Accounts Individually Using the AzureAD Module

Block a user account by running the following cmdlet: 

Set-AzureADUser -ObjectID "test1@w4l0s.onmicrosoft.com" -AccountEnabled $false

Note: You can either pass in the UserPrincipalName or the ObjectID of the user to be blocked to the -ObjectID parameter. [Get-AzureADUser cmdlet helps you get the ObjectIDs of your users.]

Here’s a brief explanation of how the preceding script works:

• Use the Set-AzureADUser cmdlet
• Pass in the UserPrincipalName or ObjectID to the -ObjectID parameter
• Set the -AccountEnabled parameter to $false [so that the user credentials are blocked]

Blocking User Accounts in Bulk Using the AzureAD Module

Block user accounts in bulk by importing them from a CSV file and running the Set-AzureAD cmdlet as shown below:

• $blockUsers = Import-Csv "c:/users/d/downloads/block_users.csv" [storing the CSV details in a PowerShell variable $blockUsers for ease of use]
• forEach($user in $blockUsers){Set-AzureADUser -ObjectID $user.UserPrincipalName -AccountEnabled $false} [running a for loop over the $blockUsers variable and running the Set- AzureADUser cmdlet for every user in the loop and passing their <userprincipalname> to the -ObjectID parameter and setting the -AccountEnabled parameter to $false value.

Forcing Sign-Outs While Blocking User Accounts

As mentioned, AzureAD module is preferred over MsolService. This is because it not only blocks user accounts, but also forces user sign-outs from their current sessions (if any), by letting you run the following cmdlet, also shown in Figure 5:  
Revoke-AzureADUserAllRefreshToken -ObjectId 36475615-1330-4f06-8b79-64a5dd47e3c6

Here’s a brief explanation of how the preceding script works:

• Use the Revoke-AzureADUserAllRefreshToken cmdlet
• Pass in the ObjectId of the user to the -ObjectId parameter

Note: The Revoke-AzureADUserAllRefreshToken cmdlet revokes the refresh tokens associated with the signed-in user. When the refresh tokens are revoked, the current user sign-in sessions (if any) will be terminated. To get the ObjectId of the user to be revoked, run the following cmdlet: Get-AzureADUser

Possible Errors You Might Face

Here are examples of errors you might come across:

• Trying to block a user who has already been blocked or does not exist: The best practice is to maintain a separate list of blocked users. Doing so can prevent you from blocking users who are blocked already.
• Not providing proper CSV headers: Maintaining dedicated CSV templates for every bulk action that is supported (such as blocking users) will ensure that you get your CSV headers right.
• Typos in your script: Predefine your scripts using .ps1 files (script files), so that you don’t have to type them out every time. This not only saves you time, but also reduces the chances of your script having typo-related errors.

Conclusion

In case of security threats, it’s best to use the most powerful option available. When it comes to blocking Microsoft 365 user accounts, AzureAD PowerShell module is the clear winner. This is because you can block user accounts immediately by forcing users out of their current sign-in sessions, which leaves no room for any security negligence.

For Those Who Like to Watch and Learn

The following video is a 6-minute version of this article. It explains how you can block Microsoft 365 users using MsolService and AzureAD PowerShell modules.