In some cases, you might need to revoke the OAuth connection programmatically. This can be done by calling the Revoke Connection API
There are multiple ways to revoke the OAuth of an API Connection other than clicking on the Revoke button in the portal:
For using the "Invoke an HTTP request":
Get the connection name:
Create a Logic App (Consumption), use a trigger of your liking, then add the “Invoke an HTTP request” Action.
Create a connection on the same Tenant that has the connection, then add the below URL to the action, and test it:
Your test should be successful.
For using an App Registration to fetch the Token (which is how you can do this with Postman or similar as well):
App Registration should include this permission:
For your Logic App, or Postman, get the Bearer Token by calling this URL: https://login.microsoftonline.com/[TENANT_ID]/oauth2/v2.0/token
With this in the Body:
Client_Id=[CLIENT_ID_OF_THE_APP_REG]&Client_Secret=[CLIENT_SECRET_FROM_APP_REG]&grant_type=client_credentials&scope=https://management.azure.com/.default
For the Header use: Content-Type = application/x-www-form-urlencoded
If you’ll use a Logic App for this; Add a Parse JSON action, use the Body of the Get Bearer Token HTTP Action as an input to the Parse JSON Action, then use the below as the Schema:
{
"properties": {
"access_token": {
"type": "string"
},
"expires_in": {
"type": "integer"
},
"ext_expires_in": {
"type": "integer"
},
"token_type": {
"type": "string"
}
},
"type": "object"
}
Finally, add another HTTP Action (or call this in Postman or similar) to call the Revoke API. In the Header add “Authorization”key with a value of “Bearer” followed by a space then add the bearer token from the output of the Parse JSON Action.
If you want to use CURL:
Request the Token Use the OAuth 2.0 client credentials flow to get the token:
curl -X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=[CLIENT_ID_OF_APP_REG]" \
-d "scope= https://management.azure.com/.default" \
-d "client_secret=[CLIENT_SECRET_FROM_APP_REG]" \
-d "grant_type=client_credentials" \
https://login.microsoftonline.com/[TENANT_ID]/oauth2/v2.0/token
The access_token in the response is your Bearer token.
Call the Revoke API
-H "Authorization: Bearer <ACCESS_TOKEN>" \
-H "Content-Type: application/json" \
-d '{"key":"value"}'
If you face the below error, you will need to grant Contributor Role to the App Registration on the Resource Group that contains the API Connection. (If you want “Least privilege” skip to below )
{ "error": {
"code": "AuthorizationFailed", "message": "The client '[App_reg_client_id]' with object id '[App_reg_object_id]' does not have authorization to perform action 'Microsoft.Web/connections/revokeConnectionKeys/action' over scope '/subscriptions/[subscription_id]/resourceGroups/[resource_group_id]/providers/Microsoft.Web/connections/[connection_name]' or the scope is invalid. If access was recently granted, please refresh your credentials."
} }
For “Least privilege” solution, create a Custom RBAC Role with the below Roles, and assign it to the App Registration Object ID same as above:
{
"actions": [
"Microsoft.Web/connections/read",
"Microsoft.Web/connections/write",
"Microsoft.Web/connections/delete",
"Microsoft.Web/connections/revokeConnectionKeys/action"
] }
Microsoft