I'm trying to build a cloud flow for our Cyber team - what I've got so far is linking MCAS to Power Automate, so that when we get an Impossible Travel alert I can get a series of options presented. One of this is what I want to be a playbook, which signs out the user from 365 / Azure and sends an email to them letting them know of the alert. I can automate the email okay, but can't find an option to force a sign out. How do you do this?
I would have a look at the revokeSignInSessions method of the Microsoft Graph REST API:
Below is an example of that approach.
Be aware, this approach uses a HTTP action (premium connector) and requires an Registered App in Azure AD with User.ReadWrite.All, Directory.ReadWrite.All permissions.
Thanks for this @Expiscornovus , assuming I did not want to tack on additional costs, would it be possible to trigger this some other way? I.e. using Powershell to force a sign off based on this flow?
In the Azure AD PowerShell module there should be a Revoke-AzureADUserAllRefreshToken cmdlet which you can use:
you can use "Send an HTTP request" action of non-premium "Office 365 groups" connector to do the same.
Yes, I always try the Office 365 Groups one first (thanks btw for your escape ? forward slash workaround) 😀 But, it did not work in my development tenant setup.
Got a 403 with Access to invalidate refresh tokens operation is denied error.
Did you get it to work with that specific revokeSignInSessions Graph API request?
you are right - Office 365 Groups connector doesn't work for this.
My bad, sorry.