How to revoke token

Xu, Kyson K 151 Reputation points

After I get the token value, what method can I use to cancel the token and invalidate the token, because before the token expires, it is possible to call our application interface through postman, but this situation should be prohibited

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,314 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,301 Reputation points

    Hi @Xu, Kyson K • Thank you for reaching out.

    You can use the below graph call to revoke the Refresh token:

    To revoke the refresh token of the signed-in user:

    To revoke the refresh token of another user:

    Alternatively, you can use below PowerShell cmdlets as well:

    Note: You cannot revoke access tokens. Access tokens are short-lived and by default valid for 1 hour. However, when the refresh tokens are revoked, the application will not be able to redeem the refresh tokens (long-lived tokens) to acquire new access tokens.

    You may also consider setting access token lifetime to a lower value than 1 hour (minimum supported value is 10 minutes and the maximum is 1 day). Refer to:

    Read more: Access token lifetime


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

1 additional answer

Sort by: Most helpful
  1. Andi Jones 1 Reputation point

    To revoke a refresh token, send a post request to your domain. The /oauth/revoke endpoint revokes the entire grant, not just a specific token. Use the /api/v2/device-credentials endpoint to revoke refresh tokens.