cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Using logic app to Revoke Sign in session via REST API
By
YujieLi
Published Apr 15 2024 12:07 AM 1,779 Views
YujieLi
Microsoft
‎Apr 15 2024 12:07 AM

Using logic app to Revoke Sign in session via REST API

‎Apr 15 2024 12:07 AM

Background:

The Revoke Sign in session via REST API is frequently used in Sentinel playbook. However the template is old and the 'Revoke user session' part could not work. What's more there is some updates about permission  the Revoke Sign in Session. In this article, we will share the new way to use logic app to Revoke Sign in Session

 

Scope: 

  1. Need a client to give user at least 'User.ReadWrite.All' permission
  2. User account need to have at least 'microsoft.directory/users/invalidateAllRefreshTokens' permission
  3. Using logic app to send revoke user session request

 

Preparation:

 1. Client Permission:

   YujieLi_0-1712838385471.png

 

Reference: user: revokeSignInSessions - Microsoft Graph v1.0 | Microsoft Learn

 

2. User permission:

Need at least: 'microsoft.directory/users/invalidateAllRefreshTokens' permission, can search in the following reference : Microsoft Entra built-in roles - Microsoft Entra ID | Microsoft Learn

Following are the permission met the request, lowest is 'User Administrator'

  • User Administrator
  • Privileged Authentication Administrator
  • Partner Tier2 Support
  • Partner Tier1 Support
  • Helpdesk Administrator
  • Directory Writers
  • Authentication Administrator

 

 

Design:

Step 1: Create a client and give 'User.ReadWrite.All' permission.

  1. Go to the Microsoft Entra ID -> App registrations -> New registration (Skip this one if you already has an app registration can be used to assign the authorize)

 

YujieLi_1-1712838385472.png

 

 

 

 

YujieLi_2-1712838385474.png

 

  1. In the new registration, create a 'certificates& secrets'(If you already has one and remember the vaule, you can skip this one). Copy the value as it only will appear once when it created.

 

YujieLi_3-1712838385476.png

 

 

  1. Go to 'API permissions' -> 'Add a permission', add 'User.readwrite.all' permission, need Global Admin to grant admin

YujieLi_4-1712838385478.png

 

 

  1. The User at least need 'User Administrator' permission

YujieLi_5-1712838385481.png

 

 

 

 

Step 2: Logic app design

1. Because in this part, we need user name and password to get user token. So we need to use the 'key vault' to protect our password. We can save the password in the key vault and use 'Get secret' to get user password

YujieLi_6-1712838385482.png

 

 

 

Can enable 'Security inputs' and 'Security outputs'.

YujieLi_7-1712838385483.png

 

2. We need to use Resource Owner Password Credentials

Scope:

YujieLi_8-1712838385483.png

 

 

Rest API example

// Line breaks and spaces are for legibility only.  This is a public client, so no secret is required.

 

POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token

Host: login.microsoftonline.com

Content-Type: application/x-www-form-urlencoded

 

client_id=535fb089-9ff3-47b6-9bfb-4f1264799865

&scope=user.readwrite.all

&username=MyUsername@myTenant.com

&password=SuperS3cret

&grant_type=password

 

Tenant id and client id:

YujieLi_9-1712838385484.png

 

 

Example:

YujieLi_10-1712838385485.png

 

 

3. Use a 'Parse Json' to format output:

YujieLi_11-1712838385486.png

 

4. Use REST API to revoke user sign in session:

Reference:

user: revokeSignInSessions - Microsoft Graph v1.0 | Microsoft Learn

 

Url: https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/revokeSignInSessions

YujieLi_12-1712838385486.png

 

Example:

YujieLi_13-1712838385487.png

 

 

Then you can run and test your logic app :)

Co-Authors
Version history
Last update:
‎Apr 11 2024 05:32 AM
Updated by:
Labels