Revoke-MgBetaUserSignInSession
Invalidates all the refresh tokens issued to applications for a user (as well as session cookies in a user's browser), by resetting the signInSessionsValidFromDateTime user property to the current date-time. Typically, this operation is performed (by the user or an administrator) if the user has a lost or stolen device. This operation prevents access to the organization's data through applications on the device by requiring the user to sign in again to all applications that they have previously consented to, independent of device. If the application attempts to redeem a delegated access token for this user by using an invalidated refresh token, the application will get an error. If this happens, the application will need to acquire a new refresh token by making a request to the authorize endpoint, which will force the user to sign in.
Note
To view the v1.0 release of this cmdlet, view Revoke-MgUserSignInSession
Syntax
Revoke-MgBetaUserSignInSession
-UserId <String>
[-ResponseHeadersVariable <String>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Revoke-MgBetaUserSignInSession
-InputObject <IUsersActionsIdentity>
[-ResponseHeadersVariable <String>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Description
Invalidates all the refresh tokens issued to applications for a user (as well as session cookies in a user's browser), by resetting the signInSessionsValidFromDateTime user property to the current date-time. Typically, this operation is performed (by the user or an administrator) if the user has a lost or stolen device. This operation prevents access to the organization's data through applications on the device by requiring the user to sign in again to all applications that they have previously consented to, independent of device. If the application attempts to redeem a delegated access token for this user by using an invalidated refresh token, the application will get an error. If this happens, the application will need to acquire a new refresh token by making a request to the authorize endpoint, which will force the user to sign in.
Permissions
| Permission type | Least privileged permissions | Higher privileged permissions |
|---|---|---|
| Delegated (work or school account) | User.RevokeSessions.All | Directory.ReadWrite.All, User.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. | Not supported. |
| Application | User.RevokeSessions.All | Not available. |
Examples
Example 1: Code snippet
Import-Module Microsoft.Graph.Beta.Users.Actions
# A UPN can also be used as -UserId.
Revoke-MgBetaUserSignInSession -UserId $userIdThis example shows how to use the Revoke-MgBetaUserSignInSession Cmdlet.
Parameters
-Confirm
Prompts you for confirmation before running the cmdlet.
| Type: | SwitchParameter |
| Aliases: | cf |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Headers
Optional headers that will be added to the request.
| Type: | IDictionary |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-InputObject
Identity Parameter To construct, see NOTES section for INPUTOBJECT properties and create a hash table.
| Type: | IUsersActionsIdentity |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-ProgressAction
{{ Fill ProgressAction Description }}
| Type: | ActionPreference |
| Aliases: | proga |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ResponseHeadersVariable
Optional Response Headers Variable.
| Type: | String |
| Aliases: | RHV |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-UserId
The unique identifier of user
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
| Type: | SwitchParameter |
| Aliases: | wi |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Inputs
Microsoft.Graph.Beta.PowerShell.Models.IUsersActionsIdentity
System.Collections.IDictionary
Outputs
System.Boolean
Notes
COMPLEX PARAMETER PROPERTIES
To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.
INPUTOBJECT <IUsersActionsIdentity>: Identity Parameter
[AccessReviewInstanceId <String>]: The unique identifier of accessReviewInstance[AccessReviewStageId <String>]: The unique identifier of accessReviewStage[AppLogCollectionRequestId <String>]: The unique identifier of appLogCollectionRequest[AuthenticationMethodId <String>]: The unique identifier of authenticationMethod[CalendarId <String>]: The unique identifier of calendar[ChatId <String>]: The unique identifier of chat[ChatMessageId <String>]: The unique identifier of chatMessage[ChatMessageId1 <String>]: The unique identifier of chatMessage[CloudPcId <String>]: The unique identifier of cloudPC[ContactFolderId <String>]: The unique identifier of contactFolder[ContactFolderId1 <String>]: The unique identifier of contactFolder[ContactId <String>]: The unique identifier of contact[ContentTypeId <String>]: The unique identifier of contentType[DeviceEnrollmentConfigurationId <String>]: The unique identifier of deviceEnrollmentConfiguration[DeviceLogCollectionResponseId <String>]: The unique identifier of deviceLogCollectionResponse[DocumentSetVersionId <String>]: The unique identifier of documentSetVersion[DriveId <String>]: The unique identifier of drive[DriveItemId <String>]: The unique identifier of driveItem[DriveItemVersionId <String>]: The unique identifier of driveItemVersion[EventId <String>]: The unique identifier of event[EventId1 <String>]: The unique identifier of event[JoinWebUrl <String>]: Alternate key of onlineMeeting[ListItemId <String>]: The unique identifier of listItem[ListItemVersionId <String>]: The unique identifier of listItemVersion[MailFolderId <String>]: The unique identifier of mailFolder[MailFolderId1 <String>]: The unique identifier of mailFolder[ManagedDeviceId <String>]: The unique identifier of managedDevice[MessageId <String>]: The unique identifier of message[MobileAppTroubleshootingEventId <String>]: The unique identifier of mobileAppTroubleshootingEvent[NotebookId <String>]: The unique identifier of notebook[OnenotePageId <String>]: The unique identifier of onenotePage[OnenoteSectionId <String>]: The unique identifier of onenoteSection[OnlineMeetingId <String>]: The unique identifier of onlineMeeting[OutlookTaskFolderId <String>]: The unique identifier of outlookTaskFolder[OutlookTaskGroupId <String>]: The unique identifier of outlookTaskGroup[OutlookTaskId <String>]: The unique identifier of outlookTask[PermissionId <String>]: The unique identifier of permission[PlannerPlanId <String>]: The unique identifier of plannerPlan[SensitivityLabelId <String>]: The unique identifier of sensitivityLabel[SubscriptionId <String>]: The unique identifier of subscription[TeamsAppInstallationId <String>]: The unique identifier of teamsAppInstallation[TodoTaskId <String>]: The unique identifier of todoTask[TodoTaskListId <String>]: The unique identifier of todoTaskList[UserId <String>]: The unique identifier of user