Table of Contents
The Same Revoke Sessions Button Everywhere
Part of restarting after a holiday break is catching up with stuff. In my case, I considered the “What’s New in Microsoft Entra – November 2025” post in the Microsoft technical community and the mention there about revoking multifactor authentication sessions. The article said:
Starting February 2026, we are replacing the current Revoke multifactor authentication sessions button with the Revoke sessions button in the Microsoft Entra portal. The legacy Revoke MFA sessions action only applies to per-user MFA enforcement, which has led to confusion. To simplify and ensure consistent behavior, the new Revoke sessions button will invalidate all user sessions, including MFA, regardless of whether MFA is enforced via Conditional Access or per-user policies.
The text certainly confused me. After chatting with some Microsoft contacts, the situation is as follows:
The user properties page in the Entra admin center includes a Revoke sessions button (Figure 1). This button performs the same function as the Revoke-MgUserSignInSession cmdlet.
If you view the authentication methods for a user account, the Revoke multifactor authentication sessions button appears (Figure 2).
As explained in the blog, this button only handles per-user MFA sessions. Microsoft is trying to get rid of per-user MFA and replace the older mechanism with conditional access policies that require multifactor authentication (of different types and strengths).
Conditional access policies are much more functional and powerful, so I don’t have any issues with Microsoft’s direction on a technical level. The sole issue is Microsoft’s insistence that conditional access requires Entra P1 licenses. It would be an easier changeover if use of basic conditional access policies was included in Office 365 E3 and above (E3 includes per-user MFA). It seems like tenants buy Entra P1 for other reasons, so the issue is probably fading over time.
Communications Confusion
Microsoft is dead right that the existence of the two buttons is confusing. When things go wrong and an administrator needs to revoke sessions as part of securing a user account (perhaps after potential compromise), they don’t want to have an internal debate to decide whether to revoke sessions or revoke multifactor authentication sessions.
One button to revoke sessions that might appear in multiple places (if necessary) is perfectly adequate. You can’t complain about Microsoft’s move to rationalize buttons to remove confusion. All I protest is the text. I know I’m not the only one to require several readings to fully understand what the blog intended to communicate.
Include Revoke Sessions in a Script
In any case, revoking sessions is only one step in the actions necessary to secure a user account in case of problems. This is where PowerShell comes in because the best and most efficient approach to disabling user accounts is to create a script to do the job.
A script using Microsoft Graph PowerShell SDK cmdlets to revoke sessions, disable the account, change the account password, and disable devices registered to the account is explained in this article. It’s a good starting point for automating a very important administrative operation. See chapter 4 in the Office 365 for IT Pros eBook for more details.
A Need for Clarity
Explanations about technology can be obscured by our personal knowledge of a situation. We assume that our readers know more about the topic than they do and explain from that point. This can lead to text that confuses and misleads. You’d imagine that something like artificial intelligence could help…
Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365. Only humans contribute to our work!