2

I have changed a user's password, but it seems that he was logged in via webmail at the time, and he his session has remained alive.

I have disabled the account too at the time of active session on webmail but still the users has a active session.

Venky
  • 51
  • 2
  • 5
  • If the answers you were provided help you with your question, you should select one as an accepted answer. – mfinni Apr 14 '14 at 15:43

3 Answers3

4

The web session doesn't become invalid when the account changes, unfortunately. Same thing happens if you have a user logged into a domain workstation and you disable their account. They still have a valid session on that workstation and won't notice a problem until they have to reauthenticate to that machine (logout/login or unlock), or need to access resources on another machine that they don't have a current session on.

mfinni
  • 36,144
  • 4
  • 53
  • 86
2

What mfinni said. One possible workaround may be to turn off the user's access to OWA via PowerShell with Set-Mailbox -Identity "user's ID" -OWAEnabled $false. If you're using ADFS, you might be able to create an AD group which is not allowed to remotely access Office 365 and put terminated employees there.

I don't know if either will kick them out before their session expires, however, and am not in a position to test it.

Katherine Villyard
  • 18,550
  • 4
  • 37
  • 59
0

OWA and ActiveSync have similar issues: an auth request does not go through for every data request. A user will have a token which has a TTL. :(

There are two extremely relevant articles in Technet Blogs:

Part I: ActiveSync

Part II: OWA, MAPI & EWS

Even the approaches above are not instantaneous. However, 5-10 minutes is better than HOURS.

blaughw
  • 2,267
  • 1
  • 11
  • 17