cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Anonymous
Not applicable

Force user to log off / revoke session in O365 / Azure

Hi there,

 

I'm trying to build a cloud flow for our Cyber team - what I've got so far is linking MCAS to Power Automate, so that when we get an Impossible Travel alert I can get a series of options presented. One of this is what I want to be a playbook, which signs out the user from 365 / Azure and sends an email to them letting them know of the alert. I can automate the email okay, but can't find an option to force a sign out. How do you do this?

6 REPLIES 6
Expiscornovus
Super User
Super User

Hi @Anonymous,

 

I would have a look at the revokeSignInSessions method of the Microsoft Graph REST API:

https://docs.microsoft.com/en-us/graph/api/user-revokesigninsessions?view=graph-rest-1.0&tabs=http

 

Below is an example of that approach.

Be aware, this approach uses a HTTP action (premium connector) and requires an Registered App in Azure AD with User.ReadWrite.All, Directory.ReadWrite.All permissions.

 

revokesigninsessions.PNG



Happy to help out! 🙂

Interested in more #PowerAutomate #SharePointOnline or #PowerVirtualAgents content?
Visit my blog, Subscribe to my YouTube channel or Follow me on Twitter


Anonymous
Not applicable

Thanks for this @Expiscornovus , assuming I did not want to tack on additional costs, would it be possible to trigger this some other way? I.e. using Powershell to force a sign off based on this flow?

Expiscornovus
Super User
Super User

Hi @Anonymous,

 

In the Azure AD PowerShell module there should be a Revoke-AzureADUserAllRefreshToken cmdlet which you can use:

https://docs.microsoft.com/en-us/powershell/module/azuread/revoke-azureaduserallrefreshtoken?view=azureadps-2.0

 



Happy to help out! 🙂

Interested in more #PowerAutomate #SharePointOnline or #PowerVirtualAgents content?
Visit my blog, Subscribe to my YouTube channel or Follow me on Twitter


Hi @Expiscornovus,

you can use "Send an HTTP request"  action of non-premium "Office 365 groups" connector to do the same.

--------------------------------------------------------------------------------------
Contact me if you are interested in custom Power Automate development.
Expiscornovus
Super User
Super User

Hi @VictorIvanidze,

 

Yes, I always try the Office 365 Groups one first (thanks btw for your escape ? forward slash workaround) 😀 But, it did not work in my development tenant setup.

 

Got a 403 with Access to invalidate refresh tokens operation is denied error.

 

Did you get it to work with that specific revokeSignInSessions Graph API request?



Happy to help out! 🙂

Interested in more #PowerAutomate #SharePointOnline or #PowerVirtualAgents content?
Visit my blog, Subscribe to my YouTube channel or Follow me on Twitter


Hi @Expiscornovus 

you are right - Office 365 Groups connector doesn't work for this.

My bad, sorry.

--------------------------------------------------------------------------------------
Contact me if you are interested in custom Power Automate development.

Helpful resources

Announcements
Microsoft 365 Conference – December 6-8, 2022

Microsoft 365 Conference – December 6-8, 2022

Join us in Las Vegas to experience community, incredible learning opportunities, and connections that will help grow skills, know-how, and more.

Users online (3,967)