How to revoke Azure AD Oauth token?

Question

I set up Azure Active Directory (AAD) based authentication and received Azure AD Oauth token to start exploring Microsoft Dynamics 365 Business Central API (https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/developer/devenv-develop-connect-apps).

Now I need a way to revoke the token (mentioned above) when a user wants to disconnect from my application. I tried to find an endpoint like .../oauth2/deauthorize and send a POST request to it with data={'refresh_token': <my-refresh-token>} and headers={'Authorization': <my-client-id-client-secret-pair>}.

But I didn't manage to find such a solution :( Could anybody please help me

Answer 1

If the user is authenticated he gets access token along with refresh token. You can revoke the refresh token by Using command Powershell

PS C:\> Revoke-AzureADUserAllRefreshToken -ObjectId "a1dxxxxx-7xx6-4xxd-axxx-b7xxxxxxxa33"

Using Microsoft graph API

POST https://graph.microsoft.com/{version}/users/{userobject_id}/invalidateAllRefreshToken`

By doing this user will not be able to access the Dynamic 365 after the access token expires.(1hour) i.e he won't be able to receive another access token by using refresh token.

Access token cannot be revoked but its lifetime or expiration can be configured.

References:

1. How to revoke token - Microsoft Q&A
2. Revoke user access in an emergency in Azure Active Directory - Microsoft Entra | Microsoft Docs