How to revoke all refresh tokens

Donkin 50 Reputation points
2023-04-25T21:24:22.24+00:00

Hi, Recently my Microsoft account has been compromised. Someone was able to gain access to my access token and has refresh tokens. I would like to revoke and remove all existing refresh tokens so they are unable to access my account anymore. I understand that I could wait for it to expire but it would take upwards of 90 days or such. I believe there is something called Powershell that I can use to manually revoke all refresh tokens. I however am not very good at technology and programs and I don't really know how to use this. Could someone provide me with step by step instructions on how to revoke these tokens?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} vote

Accepted answer
  1. Dillon Silzer 57,831 Reputation points Volunteer Moderator
    2023-04-25T22:22:16.4233333+00:00

    Hello Donkin,

    You can revoke the access and refresh tokens (answer by Alfredo):

    Azure AD refresh tokens can be revoked by a user using the AzureAD PowerShell Revoke-AzureADSignedInUserAllRefreshToken cmdlet or by an admin using the Revoke-AzureADUserAllRefreshToken cmdlet. For other instances when refresh tokens will get revoked during the device flow take a look to the password-and non-password based token columns of the Token revocations table.

    Cited from https://learn.microsoft.com/en-us/answers/questions/986743/how-to-revoke-oauth-refresh-token

    You will need to open PowerShell and first load the Azure AD module and connect with your Azure AD credentials:

    https://learn.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0


    If this is helpful please accept answer.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2023-04-26T12:04:46.4733333+00:00

    Hi @Donkin ,

    Thanks for reaching out.

    You can revoke the refresh token using both Graph API and Powershell commands:

    To revoke the refresh token of the signed-in user:

    POST https://graph.microsoft.com/v1.0/me/revokeSignInSessions

    To revoke the refresh token of another user:

    POST https://graph.microsoft.com/v1.0/users/object_id_or_upn_of_user/revokeSignInSessions

    Alternatively, you can use below PowerShell cmdlets as well:

    Revoke-AzureADSignedInUserAllRefreshToken

    Revoke-AzureADUserAllRefreshToken

    Access tokens cannot be revoked. Access tokens are short-lived and by default valid for 1 hour. However, when the refresh tokens are revoked, the application will not be able to redeem the refresh tokens (long-lived tokens) to acquire new access tokens.

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.