Security helpers

Requires a Microsoft Graph session. For full and always-up-to-date details, use Get-Help <FunctionName> -Detailed (or -Examples).

Disable-UserDevices

Disable all registered devices for specified users.

Syntax

Disable-UserDevices -UserPrincipalName <String[]> [-PassThru]

Parameter	Type	Description	Required	Default
`UserPrincipalName` (`Identity`)	String[]	Target users (UPN/object ID/short identifier). Pipeline accepted.	Yes	-
`PassThru`	Switch	Emit the impacted devices.	No	`False`

Example

Disable-UserDevices -UserPrincipalName user1@contoso.com,user2@contoso.com -WhatIf

Block sign-in (AccountEnabled = $false) for specified users.

Syntax

Disable-UserSignIn -UserPrincipalName <String[]> [-PassThru]

Parameter	Type	Description	Required	Default
`UserPrincipalName` (`Identity`)	String[]	Target users (UPN/object ID/short identifier). Pipeline accepted.	Yes	-
`PassThru`	Switch	Emit the impacted users.	No	`False`

Example

Disable-UserSignIn -UserPrincipalName user1@contoso.com -Confirm:$false

Force sign-out by revoking refresh tokens for users.

Syntax

Revoke-UserSessions [-All] [-UserPrincipalName <String[]>] [-Exclude <String[]>] [-PassThru]

Parameter	Type	Description	Required	Default
`All`	Switch	Target every user in the tenant.	No	`False`
`UserPrincipalName` (`Identity`)	String[]	Users to target (UPN/object ID/short identifier). Pipeline accepted.	No	-
`Exclude`	String[]	Users to skip (UPN/object ID/short identifier; applies to both -All and explicit lists).	No	-
`PassThru`	Switch	Emit the impacted users.	No	`False`

Examples

Revoke-UserSessions -UserPrincipalName user1@contoso.com,user2@contoso.com

Revoke-UserSessions -All -Exclude user@contoso.com -Confirm:$false

Notes:

Supports -WhatIf/-Confirm for safety.
Skips missing users and reports exclusions.
User identities are resolved through Find-UserRecipient, so short identifiers are supported.