question

AndriiMaslov-1341 avatar image
0 Votes"
AndriiMaslov-1341 asked ChenguangWang-7305 edited

Revoke access/refresh token

Greetings!

I'm struggling to find out how can I revoke access/refresh token within the web application that gained them. Is this possible to achieve? Is there some revoke endpoint?

azure-ad-authentication-protocols
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered

Hi @AndriiMaslov-1341 · Thank you for reaching out.

You can make below calls to invalidate Refresh Tokens and SignIn Sessions.

POST https://graph.microsoft.com/v1.0/users/object_id_or_userPrincipalName/invalidateAllRefreshTokens
POST https://graph.microsoft.com/v1.0/users/object_id_or_userPrincipalName/revokeSignInSessions

For required graph permissions and more details please refer to:

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChenguangWang-7305 avatar image
0 Votes"
ChenguangWang-7305 answered ChenguangWang-7305 edited

@amanpreetsingh-msft I don't think any of these 2 endpoints can revoke access token. I tried locally. Even though I send request to https://graph.microsoft.com/v1.0/me/revokeSignInSessions endpoint, I can still use old access token to visit https://graph.microsoft.com/v1.0/me

Is there an api endpoint we can call to revoke access token? I found in this thread https://github.com/MicrosoftDocs/azure-docs/issues/12717 that this was unavailable in 2018. What about now?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.