After getting access/refresh tokens from oauth flow for microsoft graph apis, is there a way to "sign out" or "revoke" access?

AD Dev 126 Reputation points
2021-10-13T17:32:43.157+00:00

In Graph API, if a user grant's permission for us to call graph api's on their behalf using the delegated oauth (https://learn.microsoft.com/en-us/graph/auth-v2-user) is there a way that we can deactivate the tokens at a later point of time?

I see that there are graph apis that we can use to revoke permission grants: https://learn.microsoft.com/en-us/graph/api/resources/oauth2permissiongrant?view=graph-rest-1.0

But these require additional permissions, and would allow us to revoke other tokens, and have a lot more access than we need for our application. I'm wondering if there is a way that we can revoke only the access/refresh token that we received during delegated oauth, without requiring any additional permission, and without the user having to do it on their side.

This would be useful for example if we no longer need access to the token and want to limit our attack surface, or if the tokens were compromised we wouldn't need to wait for the user to "sign out" of the tokens.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,088 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,286 Reputation points
    2021-10-14T12:33:40.417+00:00

    Hi @AD Dev • Thank you for reaching out.

    Yes, revoking OAuth permissions will revoke the permissions for other applications as well. Similarly, you cannot revoke refresh tokens for a specific app. There is no option to invalidate Access token for active users.

    Best I can think of, in this scenario is, using Sign-in frequency, which can be configured by using sessions control option in Conditional Access policy. Sign-in frequency setting works with apps that have implemented OAUTH2 or OIDC protocols according to the standards. By using Sign-in frequency, you can define the time period at the expiry of which, user(s) have to sign in again when attempting to access a resource. E.g. if you have configured sign-in frequency to 30 minutes, users who are under the scope of the policy will be required to sign-in after every 30 minutes to the application(s) included to the policy.

    Read more: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime#policy-1-sign-in-frequency-control

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

0 additional answers

Sort by: Most helpful