![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 10%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 4%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMJ%3C/text%3E%3C/svg%3E)
Hello sruthi,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.I will try to clarify your doubts one by one:
- Unfortunately, Microsoft does not provide a supported mechanism to end the Entra SSO/session for a single relying party (per client_id or resource) without affecting the global SSO state across other applications. Specifically, the standard Microsoft identity platform logout endpoint (
/oauth2/v2.0/logout), even when supplied with parameters likeid_token_hintorclient_id, performs a global sign-out that ends the user's session across all Entra apps in that tenant. There is no supported variant of this endpoint or any API parameter that limits logout strictly to one application or relying party. This is also confirmed in Microsoft’s official documentation:- The OpenID Connect (OIDC) logout endpoint logs the user out of the entire session, not per app. It states the endpoint "ends the user's session with the Microsoft identity platform and other relying parties that use Microsoft Entra ID SSO."
- The Write a web app that signs in and out users page explains that calling the logout endpoint clears the global authentication session.
- No, Microsoft does not provide an API to revoke refresh tokens or session cookies for a single application (client_id/resource) only. All available mechanisms operate at the user level across all apps. The Microsoft Graph API method:
POST https://graph.microsoft.com/v1.0/me/revokeSignInSessionrevokes all refresh tokens for the user across all applications, not scoped to a single client or resource. so, there is no equivalent API that targets one relying party (RP) or application only. Token revocation in Microsoft Entra ID is designed to be user-wide for security consistency. more at: https://learn.microsoft.com/en-us/graph/api/user-revokesigninsessions?view=graph-rest-1.0&tabs=http https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#sign-out
However, you can post your feedback in our Azure feedback portal regarding the feature for the feature you want particularly.
https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789
This channel is directly monitored by our PM's. They will look into this request and revert back to you directly with an update on this feature immediately.Hope this helps somehow! If it answered your question, please consider clicking Accept Answer and Upvote. This will help us and others in the community as well. If you need more info, feel free to ask in the comments. Happy to help!
Regards,
Monalisha