Revoke Oauth2 Access programatically on Microsoft Identity platform

Question

So what I am searching for is a Revoke oauth2 Access Endpoint Like Google's on Microsoft Identity platform.

Basically I have an App x which uses Microsoft identity platform and graph API to gain Access and use Users Mail,Calendar,contacts etc.

When the User want's their Microsoft Access to be removed from My app or wishes to delete their Account.

• i need to revoke the Access Token and Refresh Token I have and My App Should be removed from the 'Microsoft Portal-> privacy -> Apps and Services That can Access your Data ' so that the user can be sure that the Integration is removed.

This feature is available with google's API's Google Revoke Access Link. So when i Hit this api with my refresh token all the access is removed and my App disappears from the 'google dashboard->apps which access your data' screen too.

Can you guys please help me find if this is Available with Microsoft's API and Point me towards it Thanks

Answer 1

The Revoke-AzureADUserAllRefreshToken will invalidate applications refresh tokens generated for user which also invalidates tokens issued to session cookies in a browser for the user.

NOTE: So if the user has access or granted access to the application, Azure AD will generate an access token which has alifetime of one hr.

During this time even if app is deleted ,there are chances it is still available . Azuread issues a refresh token along with access token for the resource.

If this is revoked ,the user wont be able to obtain the token again after the access token expires.

To revoke authorization in between the life span of the access token, please check below commands.

The cmdlet operates by resetting the refreshTokensValidFromDateTime user property to the current date and time.

Ex: using powershell

PS C:\> Revoke-AzureADUserAllRefreshToken -ObjectId "a1dxxxxx-7xx6-4xxd-axxx-b7xxxxxxxa33"

• This command revokes refresh token of the specified user based on object id of user.

Same operation using Microsoft graph API

POST https://graph.microsoft.com/{version}/users/{userobject_id}/invalidateAllRefreshToken`

• Where as below command(powershell) revokes refresh token for current logged in user.

  Revoke-AzureADSignedInUserAllRefreshToken

• As the admin ,you can remove user from the "Users and groups" section of the enterprise app.

• If the user has consented to the application to access app and if User assignment required? Is set to no under properties, then the user can directly go to portal and delete the app.

The app will not be visible for that user when visiting the My apps portal in both the above cases.

Note:When user assignment is not required, unassigned users don't see the app on their My Apps.

You can use the following script to remove a user and role from an application:

$user = get-azureaduser -ObjectId <objectId>
$spo = Get-AzureADServicePrincipal -ObjectId <objectId>

#Get the ID of role assignment which is assigned to user to unassign

$assignments = Get-AzureADServiceAppRoleAssignment -ObjectId $spo.ObjectId | Where {$_.PrincipalDisplayName -eq $user.DisplayName}

#below cmd will show wha tall is assigned

$assignments | Select *

#In order to remove the Approle assignment check below command.

Remove-AzureADServiceAppRoleAssignment -ObjectId $spo.ObjectId -AppRoleAssignmentId $assignments[assignment #].ObjectId

References:

1. Delete oAuth2PermissionGrant (a delegated permission grant) - Microsoft Graph v1.0 | Microsoft Docs
2. Revoke user access in an emergency in Azure Active Directory - Microsoft Entra | Microsoft Docs