Provide a way to suspend access to Office 365 so that compromised credentials cannot be used to ex-filtrate data
We need the ability to disable access to all Office 365 services when we suspect that the user's federated login session has been compromised. Short of removing all license options from the account, there is no way to do this. Revoke-SPOUserSession will kick a user out of active sessions, but does not prevent the malicious actor from immediately regaining access.
Max Caines commented
Yes. I've just tried all the methods listed in https://blogs.technet.microsoft.com/cloudyhappypeople/2017/10/05/killing-sessions-to-a-compromised-office-365-account/, and not one of them has stopped a logged-in email user from sending spam. That only leaves disabling the mailbox, which is a bit more drastic than I'd like.
For Email the alternative Revoke-AzureADUserAllRefreshToken also does not meet our needs as it does not revoke the Access token. This means users still have access via Modern Auth authentication clients until the access token expires. Additionally, clients that do not use Modern Auth such as Android's Gmail mail client or many of the other Android mail clients may retain access significantly longer.
Agreed. We need a way to see active authenticated sessions and the ability to revoke any authorization token so that a compromised account cannot connect to any Office 365 services.