Session Revocation — Microsoft Entra
Session Revocation — Microsoft Entra
Challenge invalidates Microsoft Entra (Azure AD) sign-in sessions using the Microsoft Graph API.
Credentials
Challenge stores a Microsoft Graph access token (Bearer) used for lookup and revocation. Obtain a token through your preferred method:
- App registration (recommended for automation): Register an app in Entra ID, grant application permissions (see below), and acquire a client-credentials token for
https://graph.microsoft.com/.default. - Short-lived testing: Use Graph Explorer or similar to generate a token, paste it into Challenge, and replace it before expiry.
Paste the token into Challenge under Integrations → Session Revocation → Microsoft Entra.
API calls Challenge makes
| Step | Method | Endpoint |
|---|---|---|
| Lookup | GET | https://graph.microsoft.com/v1.0/users?$filter=userPrincipalName eq '...' or mail eq '...' |
| Revoke | POST | https://graph.microsoft.com/v1.0/users/{id}/revokeSignInSessions |
Least-privilege guidance
Grant application permissions (admin consent required), not excess directory roles:
| Permission | Purpose |
|---|---|
User.Read.All | Resolve user by UPN or mail |
User.RevokeSessions.All | Invalidate refresh tokens and end browser sessions per Microsoft’s model |
See revokeSignInSessions and Microsoft Graph permissions reference. Access tokens may remain valid until expiry; plan containment accordingly.
Rotate the client secret on your app registration on a schedule; update the token in Challenge when using client credentials.
Username format
Use the user’s user principal name (UPN) or mail attribute.
Troubleshooting
| Symptom | Check |
|---|---|
user_not_found | UPN or mail does not match Entra profile |
http_403 | Missing Graph scopes or admin consent |