Forum Discussion
How do I sign out of my OIDC Entra ID Application?
We have an application protected with Entra ID using ODIC. To sign into our application or SPA goes through a series of redirects before getting a JWT and refresh token at the end of the Entra ID OIDC authentication flow. All of that works great.
When a user is done with our application, we want them to be able to sign out of our application. In our mind, that means invalidating the `refresh_token` they received when signing in. We're not seeing an OAuth endpoint to do that. Given the default lifetime for the refresh_token, I'd rather not simply ignore/discard it as it could be used to generate a new JWT (however unlikely).
I am posting this on here after searching the web for several hours. All I am able to find on the web is single sign-out (SLO), which would sign my user out of all of Office 365 when they sign out of our application. That is not what I want.
How do I invalidate the user's `refresh_token`? Is there a "revoke" endpoint in Entra ID? If not, then what other options do we have?
1 Reply
May consider on below:
- Use Microsoft Graph API
You can revoke a user's refresh tokens using the Microsoft Graph PowerShell SDK or REST API:Revoke-MgUserSignInSession -UserId <user-object-id>
This command invalidates all refresh tokens for the user, effectively signing them out of your app without triggering global SLO.
- Use invalidateAllRefreshTokens endpoint
If you're automating this via backend logic, you can call the Microsoft Graph endpoint:POST https://graph.microsoft.com/v1.0/users/{id}/invalidateAllRefreshTokens
This revokes all refresh tokens and forces reauthentication across apps using Entra ID.
- Use Microsoft Graph API
