This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 72%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJF%3C/text%3E%3C/svg%3E)
Hi,
I have a Laravel 10 Saas product which I'm trying to allow users to log in with their Microsoft account (Socialite package using oauth2/openid) with the view to having it approved on the Enterprise Application list.
So far:
But I'm struggling to see how I can allow the user to revoke/remove consent? Also I can't seem to navigate through Azure AD to find a way to see what users have consented or perhaps I cannot?
I have the following permissions:
Microsoft Graph - openid and user.read
I suspect I need to add more permissions...after reading this article:
https://learn.microsoft.com/en-us/graph/api/user-revokesigninsessions?view=graph-rest-1.0&tabs=php
Any advice/links would be appreciated!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @James Froud ,
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Hi @James Froud
Thanks for reaching out.
I understand you are trying to allow the user to revoke/remove consent.
How can I allow the user to revoke/remove consent?
To allow users to revoke/remove consent, you can use the Microsoft Graph API to revoke the user's tokens. Specifically, you can use the revokeSignInSessions method to revoke all refresh tokens and end all sessions for the user.
To revoke the refresh token of the signed-in user:
POST https://graph.microsoft.com/v1.0/me/revokeSignInSessions
To revoke the refresh token of another user:
POST https://graph.microsoft.com/v1.0/users/object_id_or_upn_of_user/revokeSignInSessions
To use this method, you will need to have the User.ReadWrite.All permission. This permission allows your application to revoke sign-in sessions for the signed-in user.
This will only revoke the refresh token. Access tokens cannot be revoked and automatically expires after 1 hour.
Reference: https://learn.microsoft.com/en-us/graph/api/user-revokesigninsessions?view=graph-rest-1.0&tabs=http
Also I can't seem to navigate through Azure AD to find a way to see what users have consented to do or perhaps I cannot?
To see what users have consented to, you can use the Microsoft Graph API to retrieve a list of users who have granted consent to your application. Specifically, you can use the List method of the oauth2PermissionGrants resource type to retrieve a list of all the OAuth 2.0 permission grants that have been given to your application.
To use this method, you will need to have the User.ReadBasic.All least privilege permission.
GET https://graph.microsoft.com/v1.0/users/<userid>/oauth2PermissionGrants
You can also go to Identity->Enterprise Application->Select your application->Select Permissions and go to user consent to see all the permission assigned to user.
Also, if you are looking to revoke the application permission that has been granted for entire organization through admin consent. You can refer https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/manage-application-permissions?pivots=portal#review-and-revoke-permissions
Hope this will help.
Thanks,
Shweta
Please remember to "Accept Answer" if answer helped you.
Thank you for your quick reply!
How can I allow the user to revoke/remove consent?
What I meant was how do I remove the user consent, e.g. when they first try to log in with Microsoft they have a consent prompt as shown on: https://learn.microsoft.com/en-us/azure/active-directory/develop/application-consent-experience so what I was hoping to achieve is that within our application they can remove this consent from their microsoft account? Or would this be something they would have to do through https://myapps.microsoft.com/
The main reason I want to do this is because I think it is needed in the Consent Framework for publishing an application to Azure AD Gallery. Unless I'm mistaken?
As the aim is to publish an enterprise application to the Azure AD Gallery, but I'm double checking what is expected...
Relatively new to this world!
Thanks again,
James
Thanks for the clarification.
To remove user consent for an application, users can go to the My Apps portal and remove the application from their list of applications. This will revoke the user's consent for the application and remove the application's access to the user's data**.**
Alternatively, administrators can also revoke user consent for an application by removing the user's access to the application in Azure AD/Microsoft Entra. To do this, navigate to Enterprise application->select your application->Users & groups and then remove the user from the application.
Regarding publishing an enterprise application to the Azure AD Gallery, you are correct that the application must comply with the Microsoft Consent Framework.