question

dvdzo avatar image
0 Votes"
dvdzo asked amanpreetsingh-msft answered

After getting access/refresh tokens from oauth flow for microsoft graph apis, is there a way to "sign out" or "revoke" access?

In Graph API, if a user grant's permission for us to call graph api's on their behalf using the delegated oauth (https://docs.microsoft.com/en-us/graph/auth-v2-user) is there a way that we can deactivate the tokens at a later point of time?

I see that there are graph apis that we can use to revoke permission grants: https://docs.microsoft.com/en-us/graph/api/resources/oauth2permissiongrant?view=graph-rest-1.0

But these require additional permissions, and would allow us to revoke other tokens, and have a lot more access than we need for our application. I'm wondering if there is a way that we can revoke only the access/refresh token that we received during delegated oauth, without requiring any additional permission, and without the user having to do it on their side.

This would be useful for example if we no longer need access to the token and want to limit our attack surface, or if the tokens were compromised we wouldn't need to wait for the user to "sign out" of the tokens.

azure-ad-authentication
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered

Hi @dvdzo • Thank you for reaching out.

Yes, revoking OAuth permissions will revoke the permissions for other applications as well. Similarly, you cannot revoke refresh tokens for a specific app. There is no option to invalidate Access token for active users.

Best I can think of, in this scenario is, using Sign-in frequency, which can be configured by using sessions control option in Conditional Access policy. Sign-in frequency setting works with apps that have implemented OAUTH2 or OIDC protocols according to the standards. By using Sign-in frequency, you can define the time period at the expiry of which, user(s) have to sign in again when attempting to access a resource. E.g. if you have configured sign-in frequency to 30 minutes, users who are under the scope of the policy will be required to sign-in after every 30 minutes to the application(s) included to the policy.

Read more: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime#policy-1-sign-in-frequency-control


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.