Share via

How to revoke all refresh tokens

Donkin 50 Reputation points
2023-04-25T21:24:22.24+00:00

Hi, Recently my Microsoft account has been compromised. Someone was able to gain access to my access token and has refresh tokens. I would like to revoke and remove all existing refresh tokens so they are unable to access my account anymore. I understand that I could wait for it to expire but it would take upwards of 90 days or such. I believe there is something called Powershell that I can use to manually revoke all refresh tokens. I however am not very good at technology and programs and I don't really know how to use this. Could someone provide me with step by step instructions on how to revoke these tokens?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

Answer accepted by question author

  1. Dillon Silzer 60,836 Reputation points Volunteer Moderator
    2023-04-25T22:22:16.4233333+00:00

    Hello Donkin,

    You can revoke the access and refresh tokens (answer by Alfredo):

    Azure AD refresh tokens can be revoked by a user using the AzureAD PowerShell Revoke-AzureADSignedInUserAllRefreshToken cmdlet or by an admin using the Revoke-AzureADUserAllRefreshToken cmdlet. For other instances when refresh tokens will get revoked during the device flow take a look to the password-and non-password based token columns of the Token revocations table.

    Cited from https://learn.microsoft.com/en-us/answers/questions/986743/how-to-revoke-oauth-refresh-token

    You will need to open PowerShell and first load the Azure AD module and connect with your Azure AD credentials:

    https://learn.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0

    If this is helpful please accept answer.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shweta Mathur 30,456 Reputation points Microsoft Employee Moderator
    2023-04-26T12:04:46.4733333+00:00

    Hi @Donkin ,

    Thanks for reaching out.

    You can revoke the refresh token using both Graph API and Powershell commands:

    To revoke the refresh token of the signed-in user:

    POST https://graph.microsoft.com/v1.0/me/revokeSignInSessions

    To revoke the refresh token of another user:

    POST https://graph.microsoft.com/v1.0/users/object_id_or_upn_of_user/revokeSignInSessions

    Alternatively, you can use below PowerShell cmdlets as well:

    Revoke-AzureADSignedInUserAllRefreshToken

    Revoke-AzureADUserAllRefreshToken

    Access tokens cannot be revoked. Access tokens are short-lived and by default valid for 1 hour. However, when the refresh tokens are revoked, the application will not be able to redeem the refresh tokens (long-lived tokens) to acquire new access tokens.

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

    1 person found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.