Recently, Instructure released a new feature to allow for a temporary suspension of users. Additionally, a new API was added to permanently remove user access tokens, requiring them to re-login to Canvas on any web browsers and re-authorize any third party apps (including the Canvas Mobile app).

These two features allow for the temporary suspension and reactivation of a user and/or allow Admins to force a user to login again across all devices and browsers. The features are only related in that they add new tools for Admins to manage users within accounts. The aim of this post is to help Admins understand the when and why for using each feature.

Feature Highlights
Account Suspension

If you want to leave a user's enrollments intact but not allow them to log in, then user account suspension is the way to go rather than deactivating their account or ending their sessions.

• Admins can suspend users via the UI, API (either “Edit a user” or “Edit a user Login”) or the SIS users.csv.
• Suspended users can no longer log in to Canvas Web or Mobile (mobile tokens are temporarily disabled). However, other data such as enrollments remains intact.
• Running a SIS export report will reveal all accounts in a suspended status.
• Only Admin roles can see that a user is suspended (i.e. the course roster, or user profile will not indicate that the user is suspended).
• Reactivating the account will restore login capabilities to both the web and mobile apps.
• Mobile access tokens are restored upon account reactivation; as such, this does not require relogging into the mobile app. (NOTE: to permanently revoke all access tokens, a new API has been created as well.)
  
  

Session Termination

Many accounts run their own Identity Provider (IdP) and have a need to force logout on the Canvas mobile app and other integrations (typically after a password change) without locking the user out of the account.

• Forces logout on all web sessions and 3rd party apps/integrations (via permanent token deletion).
• If credentials are known, users can still login and reauthorize 3rd party apps/integrations.
• Best used in conjunction with a forced password reset if security is a concern.
  

Why did Instructure build these features?

Many Admins have asked for suspension capabilities to allow them to lock accounts due to outstanding tuition balances or to allow time for investigation of a user. Additionally, imposing a temporary freeze for accounts may be desirable as a quick action to restrict access for an account that may have been compromised while further investigation is done.

The ability to end all sessions for a user is specifically meant to be used in conjunction with a forced password change. Changing a password does not terminate all access tokens for the user (and a deep integration with a non-Canvas IdP would be required for this to work), so any device that has previously been authorized to use the mobile app (or any other 3rd party app) will continue to have access via those access tokens. This gap can now be resolved by forcing termination of all access tokens via the new API.