Azure AD Privileged Identity Management - Admin Role Still Active after Access is Expired
When an admin role is activated using the Azure AD PIM solution and their admin access expired, they are able to perform admin functions in Exchange\SharePoint etc until the sign off of O365. THis even lasts until the next day if the admin does not log off.
This is a security loophole for admin access still existing after it is supposed to be expired.
I received this explanation from a case I opened:
Even if the time frame of an hour or two hours have been expired, then the Azure AD will never have the knowledge that the token has expired. It will continuously provide the access token as that user has refresh token already. Thus, we need the user to logout of the session, to purge the refresh token so that this is not used again to get a access token.