If you identify a security breach on your network, one of the first things you will want to do is remove the ability for the compromised account to sign in. Here is the correct way to block a sign in to an office 365 account.
Steps to block sign in to an Office 365 account
- Log into your Office 365 administration portal with an account with sufficient privileges to manage office 365 users.
- Click the Admin icon.
- Click ‘Users’ > ‘Active users’
- Select the check box next to the user you want to block sign-in for in the active user’s blade.
- Click ‘Block sign-in’ and be sure the tick the checkbox for ‘Block this user from signing in.’
- Click the ‘Save changes’ button
- You will see a confirmation like the one below.
An attacker can continue with their attack until the session they have signed in with is terminated, which can be up to sixty minutes.
Therefore, if you are responding to a breach, take further steps to mitigate any actions the attacker might take; for example, creating a transport rule in exchange for sending all emails from the compromised account to another mailbox to prevent the user account from being used to send SPAM/Phishing emails.