How long does it take for a user to lose access to a site/service after they are removed from the corresponding SSO group in AAD?

Question

We are 100% AzureAD, in the cloud. We manage most 3rd-party service access through Enterprise Applications and SSO groups. We are finding that users maintain access to those services AFTER they are removed from the SSO group. We've tried the following so far.

1. Initiated a Sync with Intune, both from the computer and from the Intune Portal.
2. Revoked all sessions and MFA sessions.
3. Executed Reset-MsolStrongAuthenticationMethodByUpn and Revoke-AzureADUserAllRefreshToken in PowerShell.

How can we force a logout or token update, so they lose access after being removed from the SSO group? Thank you for your time.

edit: spelling

Answer 1

@Shawn Goodwin

When a user is removed from an SSO group in AzureAD, it may take up to one day for the changes to be effective due to replication delays between Microsoft Entra ID and resource providers like Exchange Online and SharePoint Online. However, if immediate revocation is needed, there are two options:

Running the Revoke-MgUserSignInSession PowerShell command to revoke all refresh tokens of a specified user or selecting "Revoke Session" on the user profile page to revoke the user's session to ensure that the updated policies are applied immediately. Once access is revoked, the elapsed time between revocation and the user losing their access depends on how the application is granting access. For applications using access tokens, the user loses access when the access token expires. For applications that use session tokens, the existing sessions end as soon as the token expires. If the disabled state of the user is synchronized to the application, the application can automatically revoke the user's existing sessions if it's configured to do so. The time it takes depends on the frequency of synchronization between the application and Microsoft Entra ID.

References:

• Continuous access evaluation - Limitations
• Revoke user access in Microsoft Entra ID - When access is revoked

Please confirm if the above answer addressed your questions. Thanks.

AI Note: The answer is generated using Microsoft Q&A Copilot.

Answer 2

Hi @Shawn Goodwin ,

Every Application be it an OAuth app or SAML app (both gallery and non-gallery apps) would have two objects created in AAD when their registration happens. When you dump the properties of a Service Principal Object using PS, you would find that every application has a certain number of Tags associated with it like

• OAuth apps would have a tag called "WindowsAzureActiveDirectoryIntegratedApp"
• Gallery SAML Apps would have a tag called "WindowsAzureActiveDirectoryGalleryApplicationPrimaryV1"
• Non-Gallery SAML Apps would have a tag called "WindowsAzureActiveDirectoryCustomSingleSignOnApplication"

By using Graph API endpoint, you can identify the application is SAML based or not

https://graph.microsoft.com/beta/servicePrincipals?$filter=tags/any(c:c eq 'WindowsAzureActiveDirectoryCustomSingleSignOnApplication')&$select=displayName,tags

You can also identify the SAML applications with the help of replyURLs which are configured with /saml

Get-AzureADApplication -All $true | where {$_.ReplyUrls -ne $null} | Select DisplayName, ReplyUrls | Sort DisplayName

Also, There is no mechanism for revocation of access tokens in Microsoft Entra ID. Each SAML token has a configurable lifetime defined by NotBefore and NotOnOrAfter. The default in AAD is a one-hour lifetime.

Hope this will help.

Thanks,

Shweta