Can't revoke signin session

Petre Popescu 16 Reputation points

I am building an app that uses 'Login with Microsoft and everything works fine, except revoking the tokens. The flow is something as follows for logging in:

  1. Request to to get the access token and the refresh token. Everything works fine.
  2. Build the Graph client using the access token: this.graphServiceClient =
  3. Do some operations, for example, retrieving calendars:

Everything works fine.

  1. Revoke the refresh token when the user no longer wants to use my app. This is where things fail:

I tried both using the Graph client and doing the POST manual. Each time I get the same error.

method 1:
method 2: restTemplate.postForEntity("", request, String.class).getStatusCode()

The error is always a 404:
No HTTP resource was found that matches the request URI ''CID:ada1129a0c4b4903')/profile/revokeSignInSessions?api-version=AGSV1-internal'.


I don't know what I am doing wrong, especially since fetching data (calendars, events, etc.) works. But the revokeSignInSessions does not.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,666 questions
Microsoft Graph Users API
Microsoft Graph Users API
A Microsoft API that allows you to build compelling app experiences based on users, their relationships with other users and groups, and the resources they access for example their mails, calendars, files, administrative roles, group memberships.
722 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Cristian SPIRIDON 4,301 Reputation points


    The revokeSignInSessions will revoke all refresh tokens and requires some global admin rights.
    Maybe you requested all needed rights because the error you receive is not related to permisions.

    I think a better way to sign out would be to just call the logout endpoint:

    Hope this helps!

    1 person found this answer helpful.

  2. Petre Popescu 16 Reputation points

    Ok. So revoking the session does not work for personal accounts. In this case, how do I revoke the refresh token in case is gets compromised for the users logged into my app?

    1 person found this answer helpful.
    0 comments No comments

  3. Shivam Dhiman 5,771 Reputation points

    Hi @Petre Popescu

    As per the error message, you are facing this issue because you are using Personal Microsoft Account while using this Graph API and as per the documentation this Graph API does not support Personal Microsoft account. I was able to replicate this with my Personal account. Please make sure you are using work or school account while using this Graph API.

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote. If you have any further questions about this answer, please click Comment.

  4. CarlZhao-MSFT 23,346 Reputation points

    Hi @Petre Popescu

    This is an expected error, and this API doesn't revoke sign-in sessions for external users, because external users sign in through their home tenant.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments