Share via

Issues with Revoke User Session Using Graph API

itay4 56 Reputation points
2025-02-09T10:21:08.1466667+00:00

I am using the Microsoft Graph API to revoke a user session. According to the documentation, the User.RevokeSessions.All (Delegated) permission is required. I have also added the following permissions:

  • User.ReadWrite.All (Delegated)
  • Directory.AccessAsUser.All (Delegated)
  • Directory.ReadWrite.All (Delegated)

API Request:

I am using the following API request:

using the following API request 

curl -X POST https://graph.microsoft.com/v1.0/users/<USER_EMAIL>/revokeSignInSessions \
-H "Accept: application/json" \
-H "Authorization: Bearer <XX_REPLACED>" \
-H "Content-Type: application/json" \
-H "Content-length: 127"

Issue:

When I use a token generated with the admin's authorization code, the request is successful. However, when using a token generated by a non-admin user, I receive an HTTP 403 Unauthorised response.

Error in API call [403] - Forbidden {"error": {"code": "Authorization_RequestDenied", "message": "Insufficient privileges to complete the operation.", "innerError": {"date": "2025-02-09T09:09:30", "request-id": "dummy-id", "client-request-id": "dummy-id"}}}

Question:

I do not see anything in the documentation indicating that only administrators can execute this API request. Am I missing something? Why do non-admin users get an HTTP 403 Unauthorized response?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,302 questions
0 comments
Accepted answer
  1. Yakun Huang-MSFT 10,555 Reputation points Microsoft External Staff
    2025-02-10T01:46:18.89+00:00

    Hello itay4,

    Thank you for reaching out to Microsoft Support!

    For Revoke User Session, when you use a non-administrator account, you can only Revoke sign-in session through the POST /me/revokeSignInSessions endpoint, according to the documentation.

    However, for other users, as Andy David - MVP said, you need the administrator role for security reasons, through the POST /users/{id | userPrincipalName}/revokeSignInSessionsendpoint revoked sign-in session.

    The official documents may not clearly express this, we are very sorry for the trouble caused to you.

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 153.7K Reputation points MVP
    2025-02-09T15:22:12.74+00:00
    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.