How to Block Microsoft 365 User Accounts Using PowerShell

May 25, 2023
5 min read

This article discusses how to use Windows PowerShell to block Microsoft 365 user accounts that pose a security threat. You can:

  • Block a user account individually.
  • Block user accounts in bulk (or in large numbers).

There are two PowerShell modules for blocking user accounts:

  • MsolService PowerShell Module
  • AzureAD PowerShell Module

Note: AzureAD is the preferred PowerShell module for blocking user accounts because it forces user sign-outs. With MsolService, if your users are signed in when the block is implemented, it comes into force only after they sign out – that is, for their subsequent sign-ins.

For those who like to watch and learn, check out the 6-minute video at the end of this article, which is a shortened version of this content.

Using the MsolService Module

You can use the MsolService module to block a user account individually or in bulk.

Blocking User Accounts Individually Using the MsolService Module

Block a user account by running the following cmdlet, also shown in Figure 1:

Set-MsolUser -UserPrincipalName "test1@w4l0s.onmicrosoft.com" -BlockCredential $true

This screenshot shows the cmdlet for blocking a Microsoft 365 user using the MsolService PowerShell module.
Figure 1: Blocking a user with MsolService. | Demo: Thilak Kumar Singh. View Full Size

Here’s a brief explanation of how the preceding script works:

  • Use the Set-MsolUser cmdlet
  • Pass in the -UserPrincipalName of the user that you want to block
  • Set -BlockCredential parameter to $true

Blocking User Accounts in Bulk Using the MsolService Module

Block user accounts in bulk by importing them from a CSV file, and then running the Set-MsolUser cmdlet as shown below:

  • Use the following to store the CSV details in a PowerShell variable $blockUsers for ease of use: 
    $blockUsers = Import-Csv "c:/users/d/downloads/block_users.csv"
  • Run a for loop over the $blockUsers variable, run the Set-MolUser cmdlet for every user in the loop, pass their <userprincipalname> to the -UserPrincipalName parameter, and set the -BlockCredential parameter to $true value, as follows:
    forEach($user in $blockUsers){Set-MsolUser -UserPrincipalName $user.UserPrincipalName -BlockCredential $true}
This screenshot shows the cmdlet for blocking multiple Microsoft 365 users by importing them from a CSV file using MsolService PowerShell module.
Figure 2: Blocking users in bulk with MsolService. | Demo: Thilak Kumar Singh View Full Size

Notes:

  • To unblock blocked user accounts individually, pass $false value to the -BlockCredential parameter:  
    Set-MsolUser -UserPrincipalName [sign-in name of user account] -BlockCredential $false
  • To unblock user accounts in bulk, run the following cmdlet:  
    Get-Content "C:\My Documents\Accounts.txt" | ForEach { Set-MsolUser -UserPrincipalName $_ UserPrinicipalName -BlockCredential $false }
  • To check the blocked status of a user account, run the following cmdlet:  
    Get-MsolUser -UserPrincipalName [userprincipalname] | Select DisplayName,BlockCredential

Using the AzureAD Module

You can use the AzureAD module to block a user account individually or in bulk.

Blocking User Accounts Individually Using the AzureAD Module

Block a user account by running the following cmdlet: 

Set-AzureADUser -ObjectID "test1@w4l0s.onmicrosoft.com" -AccountEnabled $false

Note: You can either pass in the UserPrincipalName or the ObjectID of the user to be blocked to the -ObjectID parameter. [Get-AzureADUser cmdlet helps you get the ObjectIDs of your users.]

Here’s a brief explanation of how the preceding script works:

  • Use the Set-AzureADUser cmdlet
  • Pass in the UserPrincipalName or ObjectID to the -ObjectID parameter
  • Set the -AccountEnabled parameter to $false [so that the user credentials are blocked]
This screenshot shows the cmdlet for blocking a Microsoft 365 user using the AzureAD PowerShell module.
Figure 3: Blocking a user with AzureAD | Demo: Thilak Kumar Singh View Full Size

Blocking User Accounts in Bulk Using the AzureAD Module

Block user accounts in bulk by importing them from a CSV file and running the Set-AzureAD cmdlet as shown below:

  • Store the CSV details in a PowerShell variable $blockUsers for ease of use as follows:
    $blockUsers = Import-Csv "c:/users/d/downloads/block_users.csv"
  • Run a for loop over the $blockUsers variable, run the Set- AzureADUser cmdlet for every user in the loop, pass their <userprincipalname> to the -ObjectID parameter, and set the -AccountEnabled parameter to $false value as follows: 
    forEach($user in $blockUsers){Set-AzureADUser -ObjectID $user.UserPrincipalName -AccountEnabled $false} 
This screenshot shows the cmdlet for blocking multiple Microsoft 365 users using the AzureAD PowerShell module.
Figure 4: Blocking users in bulk using AzureAD. | Demo: Thilak Kumar Singh View Full Size

Forcing Sign-Outs While Blocking User Accounts

As mentioned, AzureAD module is preferred over MsolService. This is because it not only blocks user accounts, but also forces user sign-outs from their current sessions (if any), by letting you run the following cmdlet, also shown in Figure 5:  
Revoke-AzureADUserAllRefreshToken -ObjectId 36475615-1330-4f06-8b79-64a5dd47e3c6

Here’s a brief explanation of how the preceding script works:

  • Use the Revoke-AzureADUserAllRefreshToken cmdlet
  • Pass in the ObjectId of the user to the -ObjectId parameter

Note: The Revoke-AzureADUserAllRefreshToken cmdlet revokes the refresh tokens associated with the signed-in user. When the refresh tokens are revoked, the current user sign-in sessions (if any) will be terminated. To get the ObjectId of the user to be revoked, run the following cmdlet: Get-AzureADUser

This screenshot shows the cmdlet for forcing user sign-outs using the AzureAD PowerShell module.
Figure 5: Forcing user sign-out with AzureAD. | Demo: Thilak Kumar Singh View Full Size

Possible Errors You Might Face

Here are examples of errors you might come across:

  • Trying to block a user who has already been blocked or does not exist: The best practice is to maintain a separate list of blocked users. Doing so can prevent you from blocking users who are blocked already.
  • Not providing proper CSV headers: Maintaining dedicated CSV templates for every bulk action that is supported (such as blocking users) will ensure that you get your CSV headers right.
  • Typos in your script: Predefine your scripts using .ps1 files (script files), so that you don’t have to type them out every time. This not only saves you time, but also reduces the chances of your script having typo-related errors.

Conclusion

In case of security threats, it’s best to use the most powerful option available. When it comes to blocking Microsoft 365 user accounts, AzureAD PowerShell module is the clear winner. This is because you can block user accounts immediately by forcing users out of their current sign-in sessions, which leaves no room for any security negligence.

For Those Who Like to Watch and Learn

The following video is a 6-minute version of this article. It explains how you can block Microsoft 365 users using MsolService and AzureAD PowerShell modules.

 

Thilak Kumar Singh

Thilak Kumar Singh

Thilak Kumar Singh is a trainer who believes in teaching about IT in the simplest possible way with more emphasis on visual mode of learning. He firmly believes in democratizing IT knowledge, especially of Microsoft solutions, in which he specializes as a trainer and consultant.

He observes that in this era dominated by cloud computing and collaboration, where IT has reached users unimaginable hitherto, IT knowledge must not be an obscure science, but rather be available to anyone who wishes to engage with IT.