Reputation: 521
Microsoft identity - revoke authorization
I'm developing a .NET application that can send emails on behalf of the user using the Graph API.
Users are prompted to authorize the application; The acquired access token is then used to call the Graph API. The refresh token is used to issue a new access token when the old one expires, as described here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
Couple of questions / observations:
- Assume user John authorizes the app to send emails on his behalf. If an administrator removes the app from the azure portal, the access/refresh tokens issued when John authorized the app will still work.
- if the access token is still active, it can be used to call the graph api;
- if the access token is expired, the refresh token can still be used to request a new access token
Is this behavior intended?
After reading https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/users-revoke-access and https://learn.microsoft.com/en-us/powershell/module/azuread/revoke-azureaduserallrefreshtoken?view=azureadps-2.0 it seems that simply removing the app from the user doesn't revoke the tokens.
- Assume user John authorizes the app to send emails on his behalf. If John goes to https://myapplications.microsoft.com and removes the app he won't be able to use the refresh token to get a new access token, which is expected.
However, I've noticed that if John reauthorizes the application to perform actions on his behalf, the application won't show up on https://myapplications.microsoft.com anymore. This behavior seems a bit inconsistent. What's the proper way for a user to revoke access to an application?
Upvotes: 2
Views: 920
Answers (1)
Reputation: 9549
If the user has granted access to the application, Azure AD will issue an access token and a refresh token for the resource.
The lifetime of the access token is usually about 1 hour. During its lifetime, even if the application is deleted, it is still available, but you will not be able to use the refresh token to obtain the access token again.
If you need to revoke authorization during the lifetime of the access token, please see: here and here.
Upvotes: 2
Related Questions
- Require re-register MFA using Microsoft Graph API
- Azure B2C graph api rejects delete user with insufficient privileges
- Revoke token with identity server 4
- How to revoke or invalidate token using Identity Server 4?
- Resetting a user's password using Microsoft Graph
- How to remove user from Azure Ad , Using Microsoft Graph Client SDK?
- Revoke Personnel User Consent Azure V2
- Delete user from .NET Graph API
- Microsoft Graph OAuth2 revoke/invalidate refresh token node.js
- Revoke a refresh token on Azure AD B2C