Most think “Revoke MFA sessions” is the fastest way to contain a compromised account.
Admins used it, assuming it would invalidate MFA for a compromised user.
In reality, it only cleared per-user MFA sessions, not MFA enforced through Conditional Access. If CA issued the token, the MFA claim stayed valid.
This disconnect shows up most often when:
- Account compromise response
- Suspicious sign-in investigations
- Lost or stolen device scenarios
This behavior is finally being corrected! 𝐅𝐫𝐨𝐦 𝐅𝐞𝐛𝐫𝐮𝐚𝐫𝐲 𝟐𝟎𝟐𝟔, 𝐭𝐡𝐞 𝐥𝐞𝐠𝐚𝐜𝐲 “𝐑𝐞𝐯𝐨𝐤𝐞 𝐌𝐅𝐀 𝐬𝐞𝐬𝐬𝐢𝐨𝐧𝐬” 𝐨𝐩𝐭𝐢𝐨𝐧 𝐰𝐢𝐥𝐥 𝐛𝐞 𝐫𝐞𝐩𝐥𝐚𝐜𝐞𝐝 𝐰𝐢𝐭𝐡 “𝐑𝐞𝐯𝐨𝐤𝐞 𝐬𝐞𝐬𝐬𝐢𝐨𝐧𝐬” 𝐢𝐧 𝐄𝐧𝐭𝐫𝐚 𝐈𝐃. This new change will:
✅Invalidate all active user sessions
✅Signs the user out of all apps and devices.
✅Clears MFA state regardless of whether it came from:
👉🏻 Conditional Access
👉🏻 Per-user MFA
This will happen by default. This aligns the admin control with how authentication has worked for years in Entra. It won’t change how you design CA policies, but it does remove a long-standing trap during account containment.