Logo Akuity SOC
Akuity SOC
CYBERSECURITY
Identity Management (Entra ID)

Password Reset vs Session Revoke: The Vital Difference

5 min de lecture Akuity SOC · Delphisoft Deutschland

Changing a password is not enough to stop a hacker who is already connected. Learn the technical difference between resetting and revoking Entra ID sessions.

When it comes to incident response, one of the most common – and most dangerous – mistakes IT teams make is compromising user accounts. When a system administrator learns that an employee's email address has been hacked, their first instinct is almost universal:force password reset.

While this action is essential, it is, on its own, tragically insufficient in the face of modern cyberattacks. To understand why a hacker can continue to empty an email box hours after the password has been changed, you need to delve into the authentication mechanics of Microsoft Entra ID (Azure AD) and understand the vital difference between reset and revocation.

The Myth of Changing Your Password

In the collective imagination, changing a password is like changing the lock on a door: anyone who does not have the new key is immediately kicked out of the house. In the cloud world, this is not the case.

When you sign in to Microsoft 365, Entra ID verifies your identity (password + MFA) and issues you an "Access Token" and a "Refresh Token".

  • L'Access Tokenis valid for a short time (usually 1 hour) and allows you to access Exchange or SharePoint without logging in again.
  • THERefresh Token(valid for up to 90 days) allows the browser to silently request a new Access Token when the first one expires.

If a hacker stole your user's session (Token Theft), he has these tokens on his own computer.If you just change the password, the hacker's Refresh Token remains valid.When he tries to access a new document, Entra ID will accept his refresh token and issue him new access. The hacker remains connected and continues his data exfiltration with complete impunity.

The real emergency weapon: The Revocation of Sessions

To truly “kick” an attacker out of your infrastructure, you must invalidate the trust the system places in previously issued tokens. This is the role of theRevocation of Sessions(the API commandrevokeSignInSessions).

When this command is executed:

  1. Microsoft Entra ID instantly invalidates allRefresh Tokensissued for this user.
  2. A revocation event is propagated to all cloud services (Teams, Outlook, SharePoint, OneDrive).
  3. As soon as the attacker's current Access Token expires (or as soon as they attempt a new action requiring validation), they are denied access. He is suddenly disconnected and sent to the login page, where he will have to prove his identity.

Joint orchestration with Akuity SOC

For identity remediation to be perfect, it must always combine both actions. The orchestratorAkuity SOCwas designed to streamline this technical choreography in order to guarantee total expulsion of the hacker and a secure resumption of activity for the employee.

From the “Identities at risk” tab, the SOC analyst can chain operations in complete security:

Step 1: Cut off access (Revoke Sessions)

With one click, the analyst triggers the actionrevokeSessions. The backend validates the analyst's identity via its MFA application (AAL2 assurance level required) and transmits the global revocation order to the Microsoft Graph API. The pirate is expelled.

Step 2: Change the lock (Reset Password)

Immediately afterwards, the analyst uses the actionresetUserPassword. Unlike the classic Azure console which can be tedious, Akuity generates a robust temporary password on the fly (eg:Xy7!pL9#mK2).

This password is displayed in asecure persistent modalEquipped with a quick copy button. This is only a transition password: the action modifies the user's profile in Entra ID to impose a mandatory change as soon as they use it to log in again.

Conclusion: Adopt the right SOAR reflexes

Don't let a lack of understanding of OAuth token mechanisms compromise the security of your business. When faced with an identity theft alert, the correct sequence is immutable: revoke first, reset later.

By integrating these capabilities directly into a response orchestrator, you ensure that your Tier 1 teams consistently apply the right remediation method, without errors and within seconds.

Secure your identity remediation.> Discover how our platformIdentity Management at Risk Entra IDautomates session revocation and secure reset.

Page Solution Associée

Identity Management at Risk (Entra ID)

Block Entra ID identity theft every second. Unable to travel JIT detection, session revocation, and confirmation of compromise.

Découvrir la solution complète

Articles du même cluster

Token Theft: The attack that bypasses Entra ID’s MFA

Double authentication is no longer enough in the face of session token theft (Token Theft). Find out how to revoke Entra ID sessions in 1 click.

Lire →

Impossible Travel on Entra ID: Analyze and react

An Impossible Travel alert isn't always a hack. Discover how Akuity SOC's JIT analysis helps qualify risk without blocking your users.

Lire →

Brute force attacks on Azure AD: Detect, qualify and block

Brute force attacks target Microsoft Entra ID daily. Learn how to detect them and use Compromise Confirmation to block them.

Lire →

Conditional Access Policies and Compromised User Status

SOAR does not replace Zero Trust architecture, it enables it. Understand how the Confirm Compromised action triggers your Entra ID Conditional Access rules.

Lire →

JIT (Just-In-Time) Analysis: Real-time identity investigation

SIEM logs are often outdated. Learn how Just-In-Time (JIT) analytics via Microsoft Graph accelerates Entra ID incident response.

Lire →