Entra ID – Tokens and Cookies – A Different Perspective

By /

Listen to this Post

In this article, we explore the sub-types of refresh tokens and session cookies in Microsoft Entra ID, focusing on when they can (or cannot) be revoked. Unlike generic discussions on token mechanics, this piece dives into specific scenarios affecting token revocation.

Read the full article here: https://blog.identitylab.ch/entra-id-tokens-and-cookies-a-different-perspective

You Should Know:

1. Token Revocation in Entra ID

Refresh tokens and session cookies can be invalidated under specific conditions. Below are key commands and checks to manage them:

  • Check Active Sessions (PowerShell): 
    Get-AzureADUser -ObjectId <UserID> | Get-AzureADUserRefreshToken
  • Revoke All Refresh Tokens (Azure CLI): 
    az rest --method POST --url "https://graph.microsoft.com/v1.0/users/{user-id}/invalidateAllRefreshTokens"

2. Session Cookie Lifespan

Session cookies can persist even after token revocation if the browser retains them. Force logout with:
– Linux/Mac (Curl): 

curl -X POST -H "Authorization: Bearer <AccessToken>" "https://graph.microsoft.com/v1.0/users/{user-id}/revokeSignInSessions"

– Windows (PowerShell): 

Invoke-RestMethod -Method Post -Uri "https://graph.microsoft.com/v1.0/users/{user-id}/revokeSignInSessions" -Headers @{Authorization = "Bearer <AccessToken>"}

3. Conditional Access Policies

Ensure tokens are revoked when risk is detected:

  • List Conditional Access Policies (Azure CLI): 
    az rest --method GET --url "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies"

4. Token Lifetime Configuration

Adjust token lifetimes via:

  • PowerShell: 
    Set-AzureADPolicy -Id <PolicyID> -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"01:00:00"}}')

What Undercode Say:

Understanding token and cookie revocation in Entra ID is critical for securing identity management. Always enforce:
– Regular token audits (Get-AzureADUserRefreshToken).
– Forced sign-outs (revokeSignInSessions).
– Conditional Access to auto-revoke risky sessions.
– Token lifetime policies to minimize exposure.

For deeper insights, refer to Microsoft’s official docs:

Expected Output:

A hardened Entra ID environment with controlled token/cookie revocation, reducing unauthorized access risks.

References:

Reported By: Lkozubal Entra – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: