Hi @mohamed arshad ,
Thanks for reaching out.
I understand you are looking to revoke the tokens so users won't able to access the application further.
You can use the below graph call to revoke the Refresh token:
To revoke the refresh token of the signed-in user:
POST https://graph.microsoft.com/v1.0/me/revokeSignInSessions
To revoke the refresh token of another user:
POST https://graph.microsoft.com/v1.0/users/object_id_or_upn_of_user/revokeSignInSessions
Alternatively, you can use below PowerShell cmdlets as well:
Revoke-AzureADSignedInUserAllRefreshToken
Revoke-AzureADUserAllRefreshToken
Access tokens cannot be revoked. Access tokens are short-lived and by default valid for 1 hour. However, when the refresh tokens are revoked, the application will not be able to redeem the refresh tokens (long-lived tokens) to acquire new access tokens.
You may also consider setting access token lifetime to a lower value than 1 hour (minimum supported value is 10 minutes and the maximum is 1 day). Refer to: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes#token-lifetime-policies-for-access-saml-and-id-tokens.
Hope this will help.
Thanks,
Shweta
-------------------------------------------
Please remember to "Accept Answer" if answer helped you.