Can't revoke signin session

Petre Popescu 16 Reputation points
2022-11-16T21:20:28.543+00:00

I am building an app that uses 'Login with Microsoft and everything works fine, except revoking the tokens. The flow is something as follows for logging in:

  1. Request to https://login.microsoftonline.com/common/oauth2/v2.0/token to get the access token and the refresh token. Everything works fine.
  2. Build the Graph client using the access token: this.graphServiceClient =
    GraphServiceClient.builder()
    .authenticationProvider(tokenCredentialAuthProvider)
    .buildClient();
  3. Do some operations, for example, retrieving calendars: graphServiceClient.me().calendars().buildRequest().get()

Everything works fine.

  1. Revoke the refresh token when the user no longer wants to use my app. This is where things fail:

I tried both using the Graph client and doing the POST manual. Each time I get the same error.

method 1: this.graphServiceClient.me().revokeSignInSessions().buildRequest().post()
method 2: restTemplate.postForEntity("https://graph.microsoft.com/v1.0/me/revokeSignInSessions", request, String.class).getStatusCode()

The error is always a 404:
No HTTP resource was found that matches the request URI 'https://outlook.office365.com:444/profile/v1.0/users('CID:ada1129a0c4b4903')/profile/revokeSignInSessions?api-version=AGSV1-internal'.

261066-image.png

I don't know what I am doing wrong, especially since fetching data (calendars, events, etc.) works. But the revokeSignInSessions does not.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,043 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,798 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Cristian SPIRIDON 4,476 Reputation points
    2022-11-17T05:52:58.297+00:00

    Hi,

    The revokeSignInSessions will revoke all refresh tokens and requires some global admin rights.
    Maybe you requested all needed rights because the error you receive is not related to permisions.

    I think a better way to sign out would be to just call the logout endpoint:

    https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-sign-user-sign-in?tabs=aspnetcore#sign-out

    Hope this helps!

    1 person found this answer helpful.

  2. Petre Popescu 16 Reputation points
    2022-11-17T08:07:46.71+00:00

    Ok. So revoking the session does not work for personal accounts. In this case, how do I revoke the refresh token in case is gets compromised for the users logged into my app?

    1 person found this answer helpful.
    0 comments No comments

  3. Shivam Dhiman 6,056 Reputation points
    2022-11-17T06:21:15.017+00:00

    Hi @Petre Popescu

    As per the error message, you are facing this issue because you are using Personal Microsoft Account while using this Graph API and as per the documentation this Graph API does not support Personal Microsoft account. I was able to replicate this with my Personal account. Please make sure you are using work or school account while using this Graph API.
    261089-revoke.png

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote. If you have any further questions about this answer, please click Comment.


  4. CarlZhao-MSFT 42,031 Reputation points
    2022-11-17T07:18:44.713+00:00

    Hi @Petre Popescu

    This is an expected error, and this API doesn't revoke sign-in sessions for external users, because external users sign in through their home tenant.

    261240-image.png


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.