Revoke access for an access_token received via MS Active Directory authentication

18028028 1 Reputation point
2021-11-09T08:18:32.48+00:00

I am currently using passport-azure-ad and @azure/msal-node nodejs library to authenticate users for my own APIs. When the user successfully authenticates via his/her microsoft account we receive an access_token, the user can call our APIs with that access_token. Now if we disable the user's account from the Azure admin panel, the user's already existing access_token should be invalidated and he/she should not be able to call our APIs with that access_token.

How can we do this please?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,641 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 95,836 Reputation points MVP
    2021-11-09T09:10:20.403+00:00

    We cannot revoke access tokens, only refresh ones. If you want to speed up the process in situations where the account has been disabled or similar, consider enabling Continuous Access Evaluation: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation#scenarios