Block Microsoft 365 user sign-in

When a Microsoft 365 user account is compromised, you must immediately block the user from signing in. Doing that will also sign out all the user sessions within 60 minutes. In this article, you will learn how to block a Microsoft 365 user sign-in using Microsoft 365 admin center and Microsoft Graph PowerShell.

Microsoft 365 user sign-in blocked

You can block a user from signing in to all Microsoft 365 services in two methods:

• Microsoft 365 admin center
• Microsoft Graph PowerShell

Block user in Microsoft 365 admin center

First, we will show you the steps to block a sign-in in Microsoft 365 admin center for a single user. Then we will show you the steps to block multiple users sign-in.

Block single Microsoft 365 user sign-in

Block multiple Microsoft 365 users

To block multiple Microsoft 365 user accounts, follow these steps:

1. Go to Users > Active users
2. Select the users in the list
3. Click the More button
4. Click Edit sign-in status

5. Select Block users from signing in
6. Click Save

The selected users are blocked from signing in.

Verify blocked Microsoft 365 user sign-in

To verify you blocked the users, you can filter and find the blocked users in the list.

• Go to User > Active users
• Click Filter > Sign-in blocked

It shows a list of all the sign-in blocked users.

Block user with Microsoft Graph PowerShell

Another way to block a user sign-in is with Microsoft Graph PowerShell. You can use one of the below PowerShell scripts to block a single user or multiple users.

Block single Microsoft 365 user sign-in

1. Copy the below PowerShell script into PowerShell ISE or Visual Studio Code
2. Change the user principal name (UPN) of the account you want to block on line number 6
3. Run the below PowerShell script

# Connect to Microsoft Graph PowerShell
Connect-MgGraph -Scopes Directory.AccessAsUser.All

# Specify the user principal name (UPN) of the account you want to block
$upn = "amanda.hansen@m365info.com"

# Retrieve the user
$user = Get-MgBetaUser -All -Filter "UserPrincipalName eq '$upn'"

# Check if the user is unblocked
if ($user.AccountEnabled -eq $true) {

    # User is unblocked, block the account
    Update-MgBetaUser -UserId $User.Id -AccountEnabled:$false

    Write-Host "Account $($User.UserPrincipalName) blocked successfully." -ForegroundColor Green
}
else {
    Write-Host "Account $($User.UserPrincipalName) is already blocked." -ForegroundColor Cyan
}

The output shows that the user account is blocked.

Welcome To Microsoft Graph!
Account Amanda.Hansen@m365info.com blocked successfully.

If the Microsoft user account were blocked, the output would show that the account is already blocked.

Welcome To Microsoft Graph!
Account Amanda.Hansen@m365info.com is already blocked.

If you like to block multiple users, read the next step.

Block multiple Microsoft 365 users

Follow the below steps to block multiple Microsoft 365 users sign-in with Microsoft Graph PowerShell.

1. Create a .txt file and type the user accounts you want to block

2. Go to the C:\temp folder
3. Name the file
4. Save it as a .txt file
5. Click Save

6. Run the below PowerShell script

# Connect to Microsoft Graph PowerShell
Connect-MgGraph -Scopes Directory.AccessAsUser.All

# Specify the path to the text file containing user principal names (UPNs)
$upns = Get-Content -Path "C:\temp\Users.txt"

# Loop through each UPN in the array
foreach ($upn in $upns) {
    # Retrieve the user
    $user = Get-MgBetaUser -All -Filter "UserPrincipalName eq '$upn'"

    if ($user) {
        # Check if the user is unblocked
        if ($user.AccountEnabled -eq $true) {

            # User is unblocked, block the account
            Update-MgBetaUser -UserId $user.Id -AccountEnabled:$false
            Write-Host "Account $($user.UserPrincipalName) blocked successfully." -ForegroundColor Green
        }
        else {
            Write-Host "Account $($user.UserPrincipalName) is already blocked." -ForegroundColor Cyan
        }
    }
    else {
        Write-Host "Account $upn not found." -ForegroundColor Yellow
    }
}

The output blocks the Microsoft 365 user accounts in the .txt file.

It will not block these user accounts if:

• The user account is already blocked
• The user account does not exist

Welcome To Microsoft Graph!
Account Amanda.Hansen@m365info.com blocked successfully.
Account Amanda.Kent@m365info.com not found.
Account Brenda.Smith@m365info.com is already blocked
Account David.Kent@m365info.com is already blocked
Account Stephen.Hunter@m365info.com blocked successfully.

Verify Microsoft 365 user sign-in blocked

When the blocked user tries to log into Microsoft 365, they will see this warning below.

You successfully blocked Microsoft 365 user sign-in!

Read more: Change Microsoft 365 tenant display name »

Conclusion

You learned how to block sign-in for Microsoft 365 users. It can be done in Microsoft 365 admin center and with Microsoft Graph PowerShell. To block multiple users, it’s much faster to use a .txt file and run the PowerShell script.

Did you enjoy this article? You may also like Configure technical contact details in Microsoft 365. Don’t forget to follow us and share this article.