Active Users 2. Search for the user you want to reset the password for. Click the Display name of the account. Click Sign out of all sessions.
3. Remove the account from admin roles Next, we may want to remove the account from any admin roles. It's good practice to temporarily remove the account from any admin roles until you are 100% sure the compromised account is no longer accessed by the hacker. Go to Microsoft 365 admin center > Users > Active Users 2. Search for the user you want to reset the password for. Click the Display name of the account. Click Manage roles > User (no admin center access) > Save changes.
4. Re-enroll in MFA If you have MFA enabled for the user you may want to re-enroll the devices or at least review the devices and make sure they are the user's devices. In short, once a malicious user has access to the user's Microsoft 365 account they can enroll their own devices and possibly reset the password after you've changed the password. So go to the user's MFA authentication methods and sit down with the user and ask if that's their authentication method. Go to Azure Active Directory > Users . Search for the user, then click the user's display name. 2. Click Authentication methods then view the user's authentication methods.
5. Check for enterprise apps authorized for the user Another way a malicious actor may retain access to your user's Microsoft 365 account is through enterprise apps. In short, once a person has access to the account they may register the user fora malicious enterprise app that the hacker can use to retain access to the account after the password reset. So we'll need to review the registered apps for the user.