How to Revoke OAuth Refresh Token in Azure Active Directory?

In an event of a hacking attack or phishing attack, the first thing you will hear from your security team is that revoke the OAuth refresh token and reset the password for Azure Active Directory Users.

What is an Oauth refresh token in Azure AD?

An OAuth refresh token in Azure AD is a special type of token that is issued along with an access token when a user authorizes a client application to access their resources. While an access token is used to grant access to resources, a refresh token is used to obtain a new access token when the original access token expires.

Refresh tokens have a longer expiration time than access tokens and can be used to request new access tokens without prompting the user to re-authenticate. This can improve the user experience by reducing the number of times they need to enter their credentials.

How to Revoke Oauth refresh token for a Single User?

You need to connect to the Azure Active Directory using PowerShell. Your admin User must be part of the Global Admin Role.

Connect-AzureAD

Run the following command.

Revoke-AzureADUserAllRefreshToken -ObjectId User@yourdomain.com

You can also use the actual objectID from the Get-AzureADUser command.

How to Revoke the OAuth refresh token for Multiple Users?

Let’s assume you have already connected to Azure Active Directory in PowerShell.

You need to create a security group and add all the Users in that group. You can use import members functions in Azure active directory groups.  In the overview section of the group find the Object ID.

Run the following commands.

$ObjectID = Read-Host -Prompt ‘Please paste the ObjectID of the group here’

Get-AzureADGroupMember -ObjectID $ObjectID -All $true | select-Object -Property ObjectID | Revoke-AzureADUserAllRefreshToken

How long it will take to Revoke the token?

There is no specific time mentioned but according to Microsoft

“Access tokens issued by Azure AD by default last for 1 hour. If the authentication protocol allows, the app can silently reauthenticate the user by passing the refresh token to the Azure AD when the access token expires.”

Audit Logs of Revoke-AzureADUserAllRefreshToken

You can verify in audit logs of Users in Azure Active Directory if the Token has been revoked.

Activity

Date

2/24/2023, 9:41 AM

Activity Type

Update StsRefreshTokenValidFrom Timestamp

Correlation ID

717cdf50-f664-4b91-bd2e-de48173579c6

Category

UserManagement

Status

success

Status reason

User Agent

Initiated by (actor)

Type

User

Display Name

Object ID

00000000-0000-0000-0000-000000000000

User Principal Name

fim_password_service@support.onmicrosoft.com

Additional Details

Leave A Reply

Your email address will not be published.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More