cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Leon_H
Frequent Visitor

Force user to log off / revoke session in O365 / Azure

Hi there,

 

I'm trying to build a cloud flow for our Cyber team - what I've got so far is linking MCAS to Power Automate, so that when we get an Impossible Travel alert I can get a series of options presented. One of this is what I want to be a playbook, which signs out the user from 365 / Azure and sends an email to them letting them know of the alert. I can automate the email okay, but can't find an option to force a sign out. How do you do this?

6 REPLIES 6
Expiscornovus
Super User
Super User

Hi @Leon_H,

 

I would have a look at the revokeSignInSessions method of the Microsoft Graph REST API:

https://docs.microsoft.com/en-us/graph/api/user-revokesigninsessions?view=graph-rest-1.0&tabs=http

 

Below is an example of that approach.

Be aware, this approach uses a HTTP action (premium connector) and requires an Registered App in Azure AD with User.ReadWrite.All, Directory.ReadWrite.All permissions.

 

revokesigninsessions.PNG

Leon_H
Frequent Visitor

Thanks for this @Expiscornovus , assuming I did not want to tack on additional costs, would it be possible to trigger this some other way? I.e. using Powershell to force a sign off based on this flow?

Expiscornovus
Super User
Super User

Hi @Leon_H,

 

In the Azure AD PowerShell module there should be a Revoke-AzureADUserAllRefreshToken cmdlet which you can use:

https://docs.microsoft.com/en-us/powershell/module/azuread/revoke-azureaduserallrefreshtoken?view=az...

 

Hi @Expiscornovus,

you can use "Send an HTTP request"  action of non-premium "Office 365 groups" connector to do the same.

--------------------------------------------------------------------------------------
Contact me if you are interested in custom Power Automate development.
Expiscornovus
Super User
Super User

Hi @VictorIvanidze,

 

Yes, I always try the Office 365 Groups one first (thanks btw for your escape ? forward slash workaround) 😀 But, it did not work in my development tenant setup.

 

Got a 403 with Access to invalidate refresh tokens operation is denied error.

 

Did you get it to work with that specific revokeSignInSessions Graph API request?

Hi @Expiscornovus 

you are right - Office 365 Groups connector doesn't work for this.

My bad, sorry.

--------------------------------------------------------------------------------------
Contact me if you are interested in custom Power Automate development.

Helpful resources

Announcements
Power Platform Conf 2022 768x460.jpg

Join us for Microsoft Power Platform Conference

The first Microsoft-sponsored Power Platform Conference is coming in September. 100+ speakers, 150+ sessions, and what's new and next for Power Platform.

New Ideas Forum MPA.jpg

A new place to submit your Ideas for Power Automate

Announcing a new way to share your feedback with the Power Automate Team.

MPA Virtual Workshop Carousel 768x460.png

Register for a Free Workshop

Learn to digitize and optimize business processes and connect all your applications to share data in real time.

365 EduCon 768x460.png

Microsoft 365 EduCon

Join us for two optional days of workshops and a 3-day conference, you can choose from over 130 sessions in multiple tracks and 25 workshops.

Users online (3,484)