question

18028028 avatar image
0 Votes"
18028028 asked

Revoke access for an access_token received via MS Active Directory authentication



I am currently using passport-azure-ad and @azure/msal-node nodejs library to authenticate users for my own APIs. When the user successfully authenticates via his/her microsoft account we receive an access_token, the user can call our APIs with that access_token. Now if we disable the user's account from the Azure admin panel, the user's already existing access_token should be invalidated and he/she should not be able to call our APIs with that access_token.

How can we do this please?

azure-active-directoryazure-ad-authenticationazure-ad-msal
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

michev avatar image
0 Votes"
michev answered michev commented

We cannot revoke access tokens, only refresh ones. If you want to speed up the process in situations where the account has been disabled or similar, consider enabling Continuous Access Evaluation: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation#scenarios

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@michev the docs says
For this reason, Microsoft is actively working to bring continuous access evaluation to Office 365 applications, which helps ensure invalidation of access tokens in near real time.

What does it mean by Office 365 apps ?

In my case I am using AD to authenticate users so that they can get an access_token to use my custom nodejs APIS, but the docs says it's for office 365 apps, I have misunderstood anything ?

0 Votes 0 ·

The quoted text is for "first-party" apps, where Microsoft is responsible for the implementation. For third-party apps, there are additional steps the developer should complete as detailed here (link from the article above): https://docs.microsoft.com/en-us/azure/active-directory/develop/app-resilience-continuous-access-evaluation

0 Votes 0 ·