Background:
The Revoke Sign in session via REST API is frequently used in Sentinel playbook. However the template is old and the 'Revoke user session' part could not work. What's more there is some updates about permission the Revoke Sign in Session. In this article, we will share the new way to use logic app to Revoke Sign in Session
Scope:
- Need a client to give user at least 'User.ReadWrite.All' permission
- User account need to have at least 'microsoft.directory/users/invalidateAllRefreshTokens' permission
- Using logic app to send revoke user session request
Preparation:
1. Client Permission:
Reference: user: revokeSignInSessions - Microsoft Graph v1.0 | Microsoft Learn
2. User permission:
Need at least: 'microsoft.directory/users/invalidateAllRefreshTokens' permission, can search in the following reference : Microsoft Entra built-in roles - Microsoft Entra ID | Microsoft Learn
Following are the permission met the request, lowest is 'User Administrator'
- User Administrator
- Privileged Authentication Administrator
- Partner Tier2 Support
- Partner Tier1 Support
- Helpdesk Administrator
- Directory Writers
- Authentication Administrator
Design:
Step 1: Create a client and give 'User.ReadWrite.All' permission.
- Go to the Microsoft Entra ID -> App registrations -> New registration (Skip this one if you already has an app registration can be used to assign the authorize)
- In the new registration, create a 'certificates& secrets'(If you already has one and remember the vaule, you can skip this one). Copy the value as it only will appear once when it created.
- Go to 'API permissions' -> 'Add a permission', add 'User.readwrite.all' permission, need Global Admin to grant admin
- The User at least need 'User Administrator' permission
Step 2: Logic app design
1. Because in this part, we need user name and password to get user token. So we need to use the 'key vault' to protect our password. We can save the password in the key vault and use 'Get secret' to get user password
Can enable 'Security inputs' and 'Security outputs'.
2. We need to use Resource Owner Password Credentials
Scope:
Rest API example
// Line breaks and spaces are for legibility only. This is a public client, so no secret is required.
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=535fb089-9ff3-47b6-9bfb-4f1264799865
&scope=user.readwrite.all
&username=MyUsername@myTenant.com
&password=SuperS3cret
&grant_type=password
Tenant id and client id:
Example:
3. Use a 'Parse Json' to format output:
4. Use REST API to revoke user sign in session:
Reference:
user: revokeSignInSessions - Microsoft Graph v1.0 | Microsoft Learn
Url: https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/revokeSignInSessions
Example:
Then you can run and test your logic app 🙂
