How to Revoke OAuth Refresh Token in Azure Active Directory?
In an event of a hacking attack or phishing attack, the first thing you will hear from your security team is that revoke the OAuth refresh token and reset the password for Azure Active Directory Users.
What is an Oauth refresh token in Azure AD?
An OAuth refresh token in Azure AD is a special type of token that is issued along with an access token when a user authorizes a client application to access their resources. While an access token is used to grant access to resources, a refresh token is used to obtain a new access token when the original access token expires.
Refresh tokens have a longer expiration time than access tokens and can be used to request new access tokens without prompting the user to re-authenticate. This can improve the user experience by reducing the number of times they need to enter their credentials.
How to Revoke Oauth refresh token for a Single User?
You need to connect to the Azure Active Directory using PowerShell. Your admin User must be part of the Global Admin Role.
Connect-AzureAD
Run the following command.
Revoke-AzureADUserAllRefreshToken -ObjectId User@yourdomain.com
You can also use the actual objectID from the Get-AzureADUser command.
How to Revoke the OAuth refresh token for Multiple Users?
Let’s assume you have already connected to Azure Active Directory in PowerShell.
You need to create a security group and add all the Users in that group. You can use import members functions in Azure active directory groups. In the overview section of the group find the Object ID.
Run the following commands.
$ObjectID = Read-Host -Prompt ‘Please paste the ObjectID of the group here’
Get-AzureADGroupMember -ObjectID $ObjectID -All $true | select-Object -Property ObjectID | Revoke-AzureADUserAllRefreshToken
How long it will take to Revoke the token?
There is no specific time mentioned but according to Microsoft ”
“Access tokens issued by Azure AD by default last for 1 hour. If the authentication protocol allows, the app can silently reauthenticate the user by passing the refresh token to the Azure AD when the access token expires.”
Audit Logs of Revoke-AzureADUserAllRefreshToken
You can verify in audit logs of Users in Azure Active Directory if the Token has been revoked.
Activity
Date
2/24/2023, 9:41 AM
Activity Type
Update StsRefreshTokenValidFrom Timestamp
Correlation ID
717cdf50-f664-4b91-bd2e-de48173579c6
Category
UserManagement
Status
success
Status reason
User Agent
Initiated by (actor)
Type
User
Display Name
Object ID
00000000-0000-0000-0000-000000000000
User Principal Name
fim_password_service@support.onmicrosoft.com
Additional Details