3. Revoke Azure Active Directory User Refresh Tokens
Using the foreach loop created earlier, first add another step inside of the loop to find the on-premises AD account’s associated Azure AD account using the Get-AzADUser cmdlet. Once the associated Azure AD account is found, pass it to the Revoke-AzureADUserAllRefreshToken cmdlet. Here is a script you can use to bring all of these instructions together:
$expiredUsers = Search-ADAccount -AccountExpired -UsersOnly
foreach ($user in $expiredusers) {$user | Disable-ADAccount | Get-AzADUser -ObjectId
$user.UserPrincipalName | Revoke-AzureADUserAllRefreshToken}
4. Create a Scheduled Task
You now have a script that finds all expired, on-premises AD user accounts; finds each account’s Azure AD account; and revokes each account’s refresh token. Running this action once is great — but in an active environment, user accounts will generate more refresh tokens. Be sure to keep up to date by including this script in a Windows scheduled task or other tool to run these steps regularly.