Insufficient prvileges for Revoke-AzureADUserAllRefreshToken

Question

I am trying to revoke the refresh tokens of a specific user (my own) in AzureAD to force a completely new logon to an applicaiton.

As there is no UI option for this in the Azure Portal (there actually is -> see in one of the anwers) I am using the 'Windows Terminal's 'Azure Cloud Shell' option as follows directly from the built-in Azure Cloud shell:

Connect-AzureAD

PS /home/...> Revoke-AzureADUserAllRefreshToken -ObjectId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

The GUID I pass in the parameteter is the object ID of my user. Unfortunately this fails due to a permission issue:

Revoke-AzureADUserAllRefreshToken: Error occurred while executing RevokeUserAllRefreshTokens
Code: Authorization_RequestDenied
Message: Access to invalidate refresh tokens operation is denied.
RequestId: fd5f5256-3909-46af-b709-8068e0744f25
DateTimeStamp: Mon, 09 Aug 2021 16:56:28 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed

If I try to execute the same in the Cloud Shell within the azure portal, the result is the same.

If I use a 'classic' PowerShell, then it works. So apparently something is missing with the authentication of the Cloud Shell. When I log in I get to select the right tenant, and my read access e.g. to the user list works perfectly.

I have no more clues what I would be missing:

• I am Owner of the subscription in the azure role assignments
• I do have the Global Administrator role assigned in AzureAD

Is there some special command to 'elevate' the permissions?

Answer 1

I tried to reproduce the issue on my Azure AD tenant , but unfortunately I didn’t receive the error you are getting .

Note: Make sure you connect with AD with your Global Admin account i.e. [email protected] or username_outlook.com#EXT#@domainname.onmicrosoft.com, so that you see the correct details in every column in the above red box.

Other options :

• From Portal you can go to the user profile and click on revoke sessions .

• Using Graph Explorer you can revoke signin Sessions.

  Post https://graph.microsoft.com/v1.0//users/UserObjectID/revokeSignInSessions

Reference: user: revokeSignInSessions - Microsoft Graph v1.0 | Microsoft Docs