Share via

Revoking Azure AAD refresh token

Ika 76 Reputation points Microsoft Employee
2025-01-26T12:15:10.5366667+00:00

When a user is signing in to a website and is authenticated using AAD a reasonable architecture would provide the client both access token and refresh token that is used in order to avoid presenting the dialog to the user again and again.

When a user is signs out, you would delete from the client the tokens but there is still a security risk that somehow, someone else gain access to these tokens.
The expected additional action would be to revoke the access token.

It seems that the only API for that is revoking all the users refresh token which will impact other website used by the user.

I'm wondering, why isn't there a dedicated API to revoke a specific access token?

The current solution is making the app stateful and let the app know that a token is not valid anymore.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,145 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Janaki Kota 540 Reputation points Microsoft Vendor
    2025-01-29T12:18:21.4933333+00:00

    Hello @Ika,

    Thank you reaching out to Microsoft Q&A.

    We understand that you are looking for an option to revoke the access token once the user signs out from an application due to some security concerns. Unfortunately, as stated below, you cannot revoke access tokens. Access tokens are short-lived and by default valid for 1 hour. However, when the refresh tokens are revoked, the application will not be able to redeem the refresh tokens (long-lived tokens) to acquire new access tokens. You may also consider setting access token lifetime to a lower value than 1 hour (minimum supported value is 10 minutes and the maximum is 1 day). 

    User's image

    Kindly refer this document for more information: https://learn.microsoft.com/en-us/entra/identity-platform/configure-token-lifetimes

    https://learn.microsoft.com/en-us/entra/identity-platform/refresh-tokens

    In general, if a user authenticates with Azure AD and checks the "Keep me signed in" box, a single sign-on session is established with the user’s browser and Azure AD. The Single Sign-On Session Token, in the form of a cookie, represents this session. It is important to note that the SSO session token is not bound to a specific resource/client application. SSO session tokens can be revoked, and their validity is checked every time they are used. 

    Also, there are some features like token protection from the conditional access policy. Please refer the below document for more details:  https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-token-protection

    You can use the below graph call to revoke the Refresh token: 

    To revoke the refresh token of the signed-in user: 

    POST https://graph.microsoft.com/v1.0/me/revokeSignInSessions 

    To revoke the refresh token of another user: 

    POST https://graph.microsoft.com/v1.0/users/object_id_or_upn_of_user/revokeSignInSessions 

    Alternatively, you can use below PowerShell cmdlets as well: 

    Revoke-AzureADSignedInUserAllRefreshToken 

    Revoke-AzureADUserAllRefreshToken 

    Hope this helps. Do let us know if you any further queries.

    Thanks & Regards

    Janaki Kota 

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.