Block Microsoft 365 User Using Microsoft Graph PowerShell

Blocking a user in Microsoft 365 (Office 365) from signing in can be an effective way to restrict access without directly modifying user passwords or deleting accounts. This can be done easily using Microsoft Graph API via PowerShell.

Step 1: Install the Microsoft Graph PowerShell Module

Run Install-Module -Name Microsoft.Graph -Scope CurrentUser command to install Microsoft Graph PowerShell module.

Step 2: Authenticate

You must authenticate to Microsoft Graph with the required permission User.ReadWrite.All.

Connect-MgGraph -Scopes "User.ReadWrite.All" is the command.

Step 3: Identify the User

Find the user you want to block. You can identify them by their user principal name (UPN), email, or object ID.

Step 4: Block the User

To block the user, you’ll need to disable their sign-in status. This can be done by setting the accountEnabled parameter to $false. This doesn't delete the user or their data but prevents them from signing in.

$user = Get-MgUser -UserId "chaman@7xh7fj.onmicrosoft.com" 
$params = @{
	accountEnabled = $false
}
Update-MgUser -UserId $user.UserPrincipalName -BodyParameter $params

Unblocking the Blocked User Account

To unblock the user, you’ll need to enable their sign-in status. This can be done by setting the accountEnabled parameter to $true

$user = Get-MgUser -UserId "donaldsingh@7xh7fj.onmicrosoft.com" 
$params = @{
	accountEnabled = $true
}
Update-MgUser -UserId $user.UserPrincipalName -BodyParameter $params

Note: Read Microsoft Documentation on Blocking Microsoft 365 user accounts using Graph PowerShell for more information.

Get-Content "C:\UsersToBlock.txt" | ForEach-Object {
  Update-MgUser -UserId $_ -BodyParameter @{ accountEnabled = $false }
}

Frequently Asked Questions

• What does setting AccountEnabled to $false do in Microsoft 365?
  Setting AccountEnabled to $false disables the user’s ability to sign in to Microsoft 365 services, including Exchange, SharePoint, and Teams. However, it does not delete the user account or remove any associated data.
• Can a blocked user still receive emails?
  Yes, a blocked (disabled) user account can still receive incoming emails to their mailbox, but they won’t be able to sign in to read or send emails until the account is re-enabled.
• How can I unblock a previously blocked user account?
  To unblock a user, use the same command with AccountEnabled set to $true. For example: Update-MgUser -UserId "alexw@contoso.com" -BodyParameter @{ AccountEnabled = $true }
• Is there a way to automate the blocking of inactive users?
  Yes, you can create a PowerShell script that checks the last sign-in date using the signInActivity property from Get-MgUser and automatically disables users who haven’t logged in for a defined number of days (e.g., 90 days).

Related Articles: