Is there a way to force tenant-wide refresh/invalidation of affected virtual account tokens?

Question

Outlook mobile and macOS clients in our tenant are still experiencing persistent 401 Unauthorized errors. This appears to be caused by stale/orphaned session tokens tied to the virtual account feature, indicating incomplete token invalidation or delayed identity cache synchronization across non-Windows clients.

Currently, remediation requires full client resets, which is not scalable.

Answer 1

Hi Mote Jeffery

Thank you for reaching out to Microsoft Q&A forum

As far as I know, this behavior is driven by stale authentication state on the client side after a service-side change, the most scalable, supported tenant-side remediation is to force affected users to obtain fresh tokens by revoking their Microsoft Entra sign-in sessions (refresh tokens), then having users sign in again.

You can read here for more information: https://github.com/MicrosoftDocs/entra-docs/blob/main/docs/identity/users/users-revoke-access.md

If the issue persists after session revocation and re-authentication, raise a Microsoft support ticket and reference the ongoing virtual account impact affecting so Microsoft can validate whether your tenant is still in the residual impact window.

Best regards

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".   

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.  

Answer 2

There is no tenant-wide “hard reset” mechanism that instantly invalidates all access tokens for Outlook mobile/macOS (or other Microsoft 365 apps). Token invalidation is based on access/refresh token lifetimes, revocation of refresh tokens, and reauthentication flows, not on a single global kill switch.

Key points from the platform behavior:

1. Access vs. refresh tokens
   • Access tokens are typically valid for about 1 hour and cannot be force-revoked before expiry; they remain valid until they time out.
   • Refresh tokens have longer lifetimes (for Microsoft 365 clients, typically up to 90 days and can remain valid with continuous use) and are what can be revoked.
   • When a client presents a refresh token, Microsoft Entra ID reevaluates authorization and issues a new access/refresh token pair only if the user is still authorized.
2. What can be revoked tenant-wide
   • Admins can revoke refresh tokens and sign-in sessions for a user (for example, via Microsoft Graph invalidateAllRefreshTokens / Revoke-MgUserSignInSession or Entra admin actions). This:
     • Stops future token refreshes.
     • Forces affected clients to reauthenticate once their current access token expires.
   • However, this does not instantly invalidate already-issued access tokens; those must expire naturally.
3. Behavior on password change / reset and policy changes
   • When a user’s password changes (and directory sync has occurred), the next refresh attempt with the old refresh token fails, forcing reauthentication and issuing a new token pair.
   • Admin password resets and user/tenant-level revocation events can revoke refresh tokens depending on the token type and scenario (for example, “Admin revokes all refresh tokens for a user” revokes all refresh tokens across token classes).
   • Conditional Access and features like continuous access evaluation (CAE) are used to shorten the effective window where a compromised or stale token can be used, but they still do not provide an immediate, tenant-wide purge of all access tokens.
4. Outlook mobile/macOS and modern authentication
   • Outlook mobile uses MSAL with OAuth and receives an access/refresh token pair from Microsoft Entra ID.
   • Upon access token expiration, Outlook uses the refresh token to get a new pair. If the refresh token has been invalidated (for example, due to password change or admin revocation), Outlook is forced to reauthenticate.
   • Reducing token lifetimes is possible via configurable token lifetimes and Conditional Access session management, but this increases reauthentication frequency and can degrade performance and user experience.
5. Practical mitigation pattern (no full client reset) Within the platform constraints, the closest to a “tenant-wide refresh” is:
   • Use RP-initiated logout for affected apps so that Entra ID ends the web session and notifies relying parties via front-channel logout where supported.
   • Immediately revoke user sessions/refresh tokens (for impacted users) using Microsoft Graph or Entra admin tools so that any subsequent token refresh fails and forces reauth.
   • Rely on access token expiry (≈1 hour) plus CAE/Conditional Access to narrow the window where stale tokens can still be used.
   • For apps that cache their own local sessions (such as some Microsoft 365 apps), users may still need to close/restart the app or browser to clear local cookies/cache; this is an application behavior limitation rather than a directory-side control.

There is therefore no single tenant-wide API or switch that will immediately invalidate all Outlook virtual account tokens across all devices. The supported approach is to combine:

• Session/refresh-token revocation,
• Standard logout flows,
• Token lifetime and Conditional Access configuration,
• And, where necessary, user-side app restart/closure,

rather than a global, instantaneous token flush.

---

References:

• Refresh tokens in the Microsoft identity platform
• Account setup with modern authentication in Exchange Online
• Azure AD B2C: Frequently asked questions (FAQ)
• Revoke user access in Microsoft Entra ID
• Tokens and claims overview
• Session timeouts for Microsoft 365
• How to do Global single signout? - Microsoft Q&A