Account Management & Session Revocation
Understanding the Concept
Disabling and blocking user accounts is a critical incident response action. When an account is compromised or an employee is terminated, you need to immediately prevent sign-in, revoke all active sessions, and disable refresh tokens to cut off access.
Session revocation in Microsoft Entra ID can be done via the Revoke Sessions action, which invalidates all refresh tokens. However, access tokens may remain valid for up to 1 hour. Continuous Access Evaluation (CAE) significantly reduces this gap for CAE-capable applications.
Microsoft Entra Kerberos authentication enables hybrid identities to use cloud credentials for accessing on-premises Kerberos-based resources. This is particularly important for organizations transitioning from AD FS to cloud authentication while maintaining access to legacy applications.
Key Points
- Block sign-in: Prevents new authentications immediately
- Revoke sessions: Invalidates refresh tokens for all devices
- Access token lifetime: Up to 1 hour after revocation without CAE
- CAE: Reduces token gap to near real-time for supported apps
- Entra Kerberos: Cloud auth for on-prem Kerberos resources
Why This Matters in Real Organizations
During a security incident, every minute of continued access matters. Understanding the full chain of actions needed to completely cut off a compromised identity - and the token lifetime gaps that exist - is essential for effective incident response.
Common Mistakes to Avoid
Interview Tips
- Explain the full incident response process for a compromised identity
- Discuss the token lifetime gap and how CAE mitigates it
- Mention Entra Kerberos for hybrid authentication scenarios
Exam Tips (SC-300)
- Know the steps to fully disable a compromised account
- Understand access token vs refresh token revocation timing
- Know Entra Kerberos requirements for hybrid environments
Course Complete!
You've finished all lessons