Share via


Invoke-MgBetaInvalidateAllUserRefreshToken

Invalidates all of the user's refresh tokens issued to applications and session cookies in a user's browser, by resetting the refreshTokensValidFromDateTime user property to the current date-time. Typically, this operation is performed (by the user or an administrator) if the user has a lost or stolen device. This operation would prevent access to any of the organization's data accessed through applications on the device without the user first being required to sign in again. In fact, this operation would force the user to sign in again for all applications that they have previously consented to, independent of device. For developers, if the application attempts to redeem a delegated access token for this user by using an invalidated refresh token, the application receives an error. If this happens, the application needs to acquire a new refresh token by making a request to the OAuth 2.0 /authorize endpoint, which forces the user to sign in.

Syntax

Invalidate (Default)

Invoke-MgBetaInvalidateAllUserRefreshToken
    -UserId <String>
    [-ResponseHeadersVariable <String>]
    [-Headers <IDictionary>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

InvalidateViaIdentity

Invoke-MgBetaInvalidateAllUserRefreshToken
    -InputObject <IUsersActionsIdentity>
    [-ResponseHeadersVariable <String>]
    [-Headers <IDictionary>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Description

Invalidates all of the user's refresh tokens issued to applications and session cookies in a user's browser, by resetting the refreshTokensValidFromDateTime user property to the current date-time. Typically, this operation is performed (by the user or an administrator) if the user has a lost or stolen device. This operation would prevent access to any of the organization's data accessed through applications on the device without the user first being required to sign in again. In fact, this operation would force the user to sign in again for all applications that they have previously consented to, independent of device. For developers, if the application attempts to redeem a delegated access token for this user by using an invalidated refresh token, the application receives an error. If this happens, the application needs to acquire a new refresh token by making a request to the OAuth 2.0 /authorize endpoint, which forces the user to sign in.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) User.RevokeSessions.All, User.ReadWrite, Directory.ReadWrite.All,
Delegated (personal Microsoft account) User.ReadWrite,
Application User.RevokeSessions.All,

Examples

Example 1: Code snippet


Import-Module Microsoft.Graph.Beta.Users.Actions

# A UPN can also be used as -UserId.
Invoke-MgBetaInvalidateAllUserRefreshToken -UserId $userId

This example shows how to use the Invoke-MgBetaInvalidateAllUserRefreshToken Cmdlet.

Parameters

-Confirm

Prompts you for confirmation before running the cmdlet.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False
Aliases:cf

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Headers

Optional headers that will be added to the request.

Parameter properties

Type:IDictionary
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:True
Value from pipeline by property name:False
Value from remaining arguments:False

-InputObject

Identity Parameter To construct, see NOTES section for INPUTOBJECT properties and create a hash table.

Parameter properties

Type:IUsersActionsIdentity
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

InvalidateViaIdentity
Position:Named
Mandatory:True
Value from pipeline:True
Value from pipeline by property name:False
Value from remaining arguments:False

-ResponseHeadersVariable

Optional Response Headers Variable.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False
Aliases:RHV

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-UserId

The unique identifier of user

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

Invalidate
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False
Aliases:wi

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Inputs

Microsoft.Graph.Beta.PowerShell.Models.IUsersActionsIdentity

System.Collections.IDictionary

Outputs

System.Boolean

Notes

COMPLEX PARAMETER PROPERTIES

To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.

INPUTOBJECT <IUsersActionsIdentity>: Identity Parameter

  • [UserId <String>]: The unique identifier of user