Home

Azure AD OAuth 2.0 Access Token has expired

%3CLINGO-SUB%20id%3D%22lingo-sub-160717%22%20slang%3D%22en-US%22%3EAzure%20AD%20OAuth%202.0%20Access%20Token%20has%20expired%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-160717%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20testing%20purposes%20it%20is%20sometimes%20usefull%20to%20revoke%20a%26nbsp%3BSTS%20token.%20On%20AD%20FS%20there%20are%20ways%20to%26nbsp%3Bdo%20this%26nbsp%3Be.g.%20%3CEM%3ERevoke-AzureADSignedInUserAllRefreshToken%3C%2FEM%3E.%3C%2FP%3E%0A%3CP%3EIs%20there%20a%20way%20to%20revoke%20an%20Azure%20AD%20sts%20token%20either%20on%20the%20Azure%20AD%20side%20or%20the%20client%20side%20e.g.%20by%20removing%2Fdeleting%20it%20from%20the%20client.%20Deleting%20cookies%20unfortunately%20doesn't%20work.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-160717%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-160769%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20OAuth%202.0%20Access%20Token%20has%20expired%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-160769%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Han%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERevoking%20a%20user%E2%80%99s%20active%20refresh%20tokens%20is%20simple%20and%20can%20be%20done%20on%20an%20ad-hoc%20basis.%20You%20do%20this%20by%20setting%20the%20%3CEM%3EStsRefreshTokensValidFrom%3C%2FEM%3E%20on%20the%20user%20object%2C%20so%20any%20refresh%20tokens%20tied%20to%20a%20credential%20provided%20before%20the%20time%20this%20attribute%20was%20set%20will%20no%20longer%20be%20honored%20by%20Azure%20AD.%20The%20user%20will%20be%20forced%20to%20re-authenticate%20to%20receive%20a%20new%20refresh%20token.%3C%2FP%3E%0A%3CP%3EFollow%20these%20steps%20to%20revoke%20a%20user%E2%80%99s%20refresh%20tokens%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EDownload%20the%20latest%20%3CA%20href%3D%22http%3A%2F%2Fconnect.microsoft.com%2Fsite1164%2FDownloads%2FDownloadDetails.aspx%3FDownloadID%3D59185%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20AD%20PowerShell%20V1%20release%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%3E%3CDIV%3ERun%20the%20Connect%20command%20to%20sign%20in%20to%20your%20Azure%20AD%20admin%20account.%20Run%20this%20command%20each%20time%20you%20start%20a%20new%20session%3A%3C%2FDIV%3E%0A%3CP%3E%3CEM%3EConnect-msolservice%3CBR%20%2F%3E%20%3C%2FEM%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CDIV%3ESet%20the%20%3CEM%3EStsRefreshTokensValidFrom%20%3C%2FEM%3Eparameter%20using%20the%20following%20command%3A%3C%2FDIV%3E%0A%3CP%3E%3CEM%3ESet-MsolUser%20-UserPrincipalName%20%3CUPN%20of%3D%22%22%20the%3D%22%22%20user%3D%22%22%3E%20-StsRefreshTokensValidFrom%20(%E2%80%9C%3CCURRENT%20date%3D%22%22%3E%E2%80%9D)%3C%2FCURRENT%3E%3C%2FUPN%3E%3C%2FEM%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EI%20hope%20this%20helps.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%3C%2FP%3E%0A%3CP%3ERuud%20Gijsbers%3C%2FP%3E%3C%2FLINGO-BODY%3E
Han Valk
Occasional Contributor

For testing purposes it is sometimes usefull to revoke a STS token. On AD FS there are ways to do this e.g. Revoke-AzureADSignedInUserAllRefreshToken.

Is there a way to revoke an Azure AD sts token either on the Azure AD side or the client side e.g. by removing/deleting it from the client. Deleting cookies unfortunately doesn't work.

1 Reply

Hi Han,

 

Revoking a user’s active refresh tokens is simple and can be done on an ad-hoc basis. You do this by setting the StsRefreshTokensValidFrom on the user object, so any refresh tokens tied to a credential provided before the time this attribute was set will no longer be honored by Azure AD. The user will be forced to re-authenticate to receive a new refresh token.

Follow these steps to revoke a user’s refresh tokens:

  1. Download the latest Azure AD PowerShell V1 release.
  2. Run the Connect command to sign in to your Azure AD admin account. Run this command each time you start a new session:

    Connect-msolservice

  3. Set the StsRefreshTokensValidFrom parameter using the following command:

    Set-MsolUser -UserPrincipalName <UPN of the User> -StsRefreshTokensValidFrom (“<current date>”)

I hope this helps.

 

Best regards,

Ruud Gijsbers

Related Conversations
Calendar not available for older AD accounts
_jancis in Microsoft Teams on
0 Replies
Azure Files with adfs
Stephane KLOIS in Azure on
0 Replies
Activating or shifting focus from Access to Word
Asad_khan1971 in Access on
5 Replies
Run-time Error '3340'
Jonathyn in Access on
13 Replies