We cannot revoke access tokens, only refresh ones. If you want to speed up the process in situations where the account has been disabled or similar, consider enabling Continuous Access Evaluation: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation#scenarios
Revoke access for an access_token received via MS Active Directory authentication
18028028
1
Reputation point
I am currently using passport-azure-ad and @azure/msal-node nodejs library to authenticate users for my own APIs. When the user successfully authenticates via his/her microsoft account we receive an access_token, the user can call our APIs with that access_token. Now if we disable the user's account from the Azure admin panel, the user's already existing access_token should be invalidated and he/she should not be able to call our APIs with that access_token.
How can we do this please?