Hi All, I've a scenario where in my application uses MS GraphAPI for authentication and authorizing a user with his MS credentials. Once the user login to the application we get the token but once the user logout the application I would need to invalidate that token alone(which he got it from login). Is this possible to invalidate only one token in MS GraphAPI? Thanks in advance.

Hi @Raja R The access tokens in the ms graph API are not associated, and the invalidation of one token will not cause the invalidation of another token. The invalidate of the access token is only related to its lifetime, and the default lifetime is 1 hour. Note that even if the user logs out the application, the access token will not invalidate immediately, it can still call the graph api and will expire automatically after 1 hour. If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Invalidate a specific token from an application instead of all the tokens in MS GraphAPI?

Accepted answer

CarlZhao-MSFT 36,891 Reputation points

2022-04-14T08:52:49.107+00:00

Hi @Raja R

The access tokens in the ms graph API are not associated, and the invalidation of one token will not cause the invalidation of another token. The invalidate of the access token is only related to its lifetime, and the default lifetime is 1 hour. Note that even if the user logs out the application, the access token will not invalidate immediately, it can still call the graph api and will expire automatically after 1 hour.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.
Raja R 36 Reputation points

2022-04-14T12:29:21.283+00:00

Thanks for the information.
Is it possible to invalidate a single token!?

CarlZhao-MSFT 36,891 Reputation points

2022-04-15T01:40:26.417+00:00

@Raja R There is currently no way to invalidate single access token, you can only revoke refresh tokens but not access tokens. The access token expires automatically after 1 hour and we cannot revoke it during its lifetime.

CarlZhao-MSFT 36,891 Reputation points

2022-04-18T09:23:31.607+00:00

Hi @Raja R Would you please provide us with an update on the status of your issue?

Raja R 36 Reputation points

2022-04-18T09:27:07.93+00:00

Hi, Yes now we are trying to reduce the expiry time of the access token! Is this possible?

CarlZhao-MSFT 36,891 Reputation points

2022-04-19T02:00:41.13+00:00

Hi @Raja R Of course, you can customize the token expiration time by configuring the token lifetime policy. https://learn.microsoft.com/en-us/azure/active-directory/develop/configure-token-lifetimes

Raja R 36 Reputation points

2022-04-19T07:21:45.1+00:00

Hi @CarlZhao-MSFT , thanks for the response it really helped me.. but just wondering what's the difference between
https://login.microsoftonline.com/common/oauth2/v2.0/logoutsession - this api and invalidating the token?
Does the logoutsession invalidates the token aswell?

CarlZhao-MSFT 36,891 Reputation points

2022-04-19T08:00:01.063+00:00

Hi @Raja R This URL is used to log out of the session, logging out of the session does not invalidate the token, the access token will only invalidate automatically after its lifetime expires, this is by design and has nothing to do with you logging out of the session. However, you can customize the expiration time (lifetime) of the token though, which I believe you already do.

Raja R 36 Reputation points

2022-04-19T08:14:28.923+00:00

@CarlZhao-MSFT , Thanks for your time and patience in answering my questions. This really helped me a lot..
Cheers!
RJ
Sign in to comment

Invalidate a specific token from an application instead of all the tokens in MS GraphAPI?

0 additional answers