Revoke-EntraSignedInUserAllRefreshToken
Invalidates the refresh tokens issued to applications for the current user.
Syntax
Revoke-EntraSignedInUserAllRefreshToken
[] Description
The Revoke-EntraSignedInUserAllRefreshToken cmdlet invalidates all the refresh tokens issued to applications for a user (and session cookies in a user's browser), by resetting the signInSessionsValidFromDateTime user property to the current date-time.
The user or an administrator typically performs this operation if the user's device is lost or stolen. This action prevents access to the organization's data on the device by requiring the user to sign in again to all previously consented applications, regardless of the device.
Note: If the application attempts to redeem a delegated access token for this user using an invalidated refresh token, the application receives an error. When this happens, the application needs to acquire a new refresh token by making a request to the authorized endpoint, which forces the user to sign in.
After you run this command, a small delay of a few minutes can occur before tokens are revoked.
Examples
Example 1: Revoke refresh tokens for the current user
Connect-Entra -Scopes 'User.RevokeSessions.All'
Revoke-EntraSignedInUserAllRefreshToken
Value
-----
TrueThis command revokes the tokens for the current user.