How to revoke access quickly

Topic: Security basics

When someone leaves or an account is compromised, revoke all access immediately: disable or delete the account, revoke tokens and keys, remove from groups and roles, and invalidate sessions. Use this during offboarding or incident response.

Intent: How-to

Quick answer

  • Disable or delete the user account in the IdP and in each application. Revoke all tokens (OAuth, session cookies) and API keys owned by that user or issued to them.
  • Remove the user from all groups and roles so inherited permissions are gone. For SSH and servers, remove the user and their keys from authorized_keys and any sudo or group membership.
  • Invalidate active sessions (force logout). For cloud, remove IAM user or revoke federation; for servers, remove from LDAP or local user DB and kill sessions. Document the checklist and run it in order.

Prerequisites

Steps

  1. IdP and app accounts

    Disable or delete the user in the identity provider (Azure AD, Okta, etc.) so they cannot log in. Disable or remove the account in each app that has its own user store; revoke app-specific tokens.

  2. Keys and tokens

    Revoke all API keys and OAuth tokens for that user. Remove SSH public keys from servers (each host or via config management). Revoke any certificate or client credential.

  3. Groups, roles, and sessions

    Remove the user from all groups and role assignments. Force logout or invalidate sessions (e.g. revoke refresh tokens, clear server-side sessions). For cloud IAM, delete the user or remove from role trust.

  4. Verify and document

    Confirm the user cannot log in or call APIs; check one critical system manually. Document the revocation checklist and who performed it; run it for every offboard and suspected compromise.

Summary

Revoke by disabling the account, revoking keys and tokens, removing from groups and roles, and invalidating sessions. Use a checklist and verify; document and run for every offboard and compromise.

Prerequisites

Steps

Step 1: IdP and app accounts

Disable or delete the user in the IdP and in each app. Revoke app-specific tokens.

Step 2: Keys and tokens

Revoke API keys and OAuth tokens. Remove SSH keys from all servers.

Step 3: Groups, roles, and sessions

Remove from all groups and roles. Invalidate active sessions (force logout, revoke refresh tokens).

Step 4: Verify and document

Confirm the user cannot access; document the checklist and who ran it.

Verification

User cannot log in or use APIs; no active sessions; membership and keys are removed; checklist is documented and used.

Troubleshooting

Still has access — Find missed system (another IdP, app, server); remove there and add to checklist. Need to preserve data — Transfer ownership or export before deleting; then revoke.

Next steps

Continue to