3 Ways to Disable Users in Microsoft 365

Discover three straightforward methods to disable users in Microsoft 365, empowering admins to manage access more securely
The author of the article Chris Shuptrine
Aug 2025
3 Ways to Disable Users in Microsoft 365

When someone leaves the company, you need to shut off their Microsoft 365 sign-in fast to keep data safe. The good news is you can disable an account without deleting mail, files, or licenses.

Below, we’ll look at three quick approaches: the Microsoft 365 admin center, PowerShell, and Azure AD. Choose whichever fits your day, follow the steps, and make sure only the right people stay connected.

Table of Contents

Pro Tip: Too long? Ask ChatGPT to summarize →

Use Microsoft 365’s UI

This guide shows how to block a user account in the Microsoft 365 admin center while keeping all underlying data intact.

1. Sign in with admin rights

  • Go to the Microsoft 365 admin center.
  • Enter the admin credentials you already use.

2. Open the Active users list

  • In the left navigation, pick Users.
  • Choose Active users. A table appears with every licensed and unlicensed account.

3. Find the account you want to disable

  • In the search bar above the table, enter the person’s name or email.
  • Click the matching row. A details pane opens on the right.

4. Block the sign-in

  • In the details pane, select Block sign-in.
  • Switch Block this user from signing in to On.
  • Choose Save changes.

Within minutes, the user loses sign in access, yet their mailbox, files, and license assignments remain untouched behind the scenes.

5. Double-check the status

  • Back in Active users, look for a red “Blocked” tag next to the user’s name.
  • If you don’t see it, refresh the page to update the view.

6. Re-enable later if needed

  • Repeat steps 2 and 3.
  • In the same Block sign-in section, switch the toggle Off.
  • Save the change, and the user can sign in again.

Use Torii

Instead of navigating Microsoft 365 menus, use Torii, a SaaS Management Platform, to disable users in the tenant. Torii centralizes your SaaS stack, so you can automate provisioning, deprovisioning, and subscription oversight from a single screen.

With Torii you skip manual steps in Microsoft 365 and rely on automated flows that run when a selected trigger fires. Typical triggers cover onboarding, offboarding, or a contract milestone. When one of those events hits, Torii performs the task for you, and the change appears in Microsoft 365 without extra clicks.

Here’s how you can disable a user in Microsoft 365 directly through Torii:

1. Sign up for Torii

Contact Torii and request a complimentary two-week proof-of-concept.

2. Connect your Microsoft 365 account to Torii

After your Torii environment is live, link Microsoft 365 to the platform (your tenant should already exist). You can follow these step-by-step instructions for the Microsoft 365 integration: Here are the instructions for the Microsoft 365 integration.

torii microsoft 365 dashboard

3. Create a Torii workflow for Microsoft 365

Inside Torii, build a workflow that disables users in Microsoft 365. Go to the Workflows tab, set the trigger, and add the action to disable the account. From then on, every time the trigger fires, the user status updates automatically in Microsoft 365.

creating microsoft 365 workflows in torii

Use Microsoft 365’s API

Here you’ll flip the accountEnabled flag through Microsoft Graph so the user can’t sign in, while their data remains intact.

Step 1: Get an access token that can edit users

POST https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id={app-id}
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret={app-secret}
&grant_type=client_credentials

The app must hold the User.ReadWrite.All application permission and an admin has to grant consent beforehand. The response returns an access_token.

Step 2: Look up the user object ID

Skip this lookup when the object ID is on hand; otherwise, call Graph to search by UPN.

GET https://graph.microsoft.com/v1.0/users?$filter=userPrincipalName eq '[email protected]'
Authorization: Bearer {access_token}

After the call returns, copy the id property from the response body to use in the next step.

Step 3: Disable sign-in

PATCH https://graph.microsoft.com/v1.0/users/{user-id}
Authorization: Bearer {access_token}
Content-Type: application/json
{
    "accountEnabled": false
}

When the response comes back with HTTP 204, the patch succeeded and the user is blocked from every Microsoft 365 sign-in.

Step 4: Confirm the change

GET https://graph.microsoft.com/v1.0/users/{user-id}?$select=id,accountEnabled
Authorization: Bearer {access_token}

Check the JSON for "accountEnabled": false; if you spot it, the account is definitely disabled now.

Torii for SaaS Management

Running dozens of cloud apps across teams can quickly spiral into a budgeting and security headache. Torii’s SaaS Management Platform helps you regain control by letting you:

  • Uncover shadow apps: AI continuously scans your organization and flags unapproved tools the moment they appear.
  • Reduce expenses: Cut waste by deprovisioning unused licenses and consolidating redundant software.
  • Automate onboarding and offboarding: Eliminate manual IT work and lower error rates with workflow automation.
  • Never miss a renewal: Receive proactive alerts so you can renegotiate or cancel contracts on time.

Torii unites Finance, IT, and Security teams around one dependable, always-updated source of truth for every subscription.

See the full story and product details at Torii today, and discover how effortless SaaS oversight can be.

Frequently Asked Questions

Open the Microsoft 365 admin center, locate the user in Active users, click Block sign-in, toggle to On, and save. Alternatively, run a Graph API PATCH setting "accountEnabled" to false or trigger a Torii offboarding workflow. All three methods preserve mail, files, and licenses.

No. Blocking sign-in simply flips the accountEnabled flag to false; it leaves the mailbox, OneDrive files, SharePoint content, groups, and license assignments untouched, so you can review or transfer data later without rushing to restore backups.

Yes. After connecting your tenant, create a Torii workflow, choose an offboarding or similar trigger, and add the action "Disable Microsoft 365 user." When the trigger fires, Torii automatically blocks the account and logs the change, eliminating manual clicks.

Microsoft 365 usually enforces the block within a few minutes. Refresh the Active users list or query the Graph endpoint to confirm the status. Until propagation finishes, cached tokens may allow access, but they quickly expire and the user is locked out.

Send a PATCH request to /users/{id} and set "accountEnabled": false. The call needs an access token with User.ReadWrite.All permission. A 204 No Content response signals success and immediately blocks sign-ins across all Microsoft 365 services.

Absolutely. Open the same Block sign-in panel in the admin center, switch the toggle Off, and save. Or flip "accountEnabled" back to true through Graph or Torii. The user regains access instantly because their credentials, licenses, and data were never deleted.