I made an observation around access tokens and revoking permissions through AAD: Even after revoking the App permission from AAD, we're able to obtain access tokens from refresh tokens. It takes around 15-20 minutes before graph API calls using access tokens obtained after permission revoke start failing (which I assume is how long it takes for the permission revoke to take effect?) but the /token call using refresh token keeps returning access tokens (which don't work but I would expect the refresh /token call to fail as well).
1 Answers
0
votes
If the user has granted access to the application, Azure AD will issue an access token and a refresh token for the resource.
The lifetime of an access token is usually 1 hour, even if you revoke App permissions during its lifetime, it is still available. However, for the refresh token, its lifetime can be up to 90 days. If you need to revoke it during the refresh token lifetime, you can try:
Revoke-AzureADUserAllRefreshToken -ObjectId "{user id}"
see:here.
