当前位置: 文江博客 话题详情

在Microsoft Identity平台上编程访问OAuth2访问

发布于 2025-02-07 14:19:45 字数 671 浏览 3 评论 0 原文

因此,我正在搜索的是撤消OAuth2访问端点,例如Microsoft Identity平台上的Google。

该应用使用Microsoft Identity平台和Graph API来获取访问和使用用户邮件,日历,联系人等。

基本上,我有一个应用X ,

Google的API的 Google devoke devoke访问链接。因此,当我使用刷新令牌击中此API时 - >应用程序也可以访问您的数据屏幕。

你们可以帮我找到Microsoft的API是否可以找到的,并将我指向它 谢谢

原文

So what I am searching for is a Revoke oauth2 Access Endpoint Like Google's on Microsoft Identity platform.

Basically I have an App x which uses Microsoft identity platform and graph API to gain Access and use Users Mail,Calendar,contacts etc.

When the User want's their Microsoft Access to be removed from My app or wishes to delete their Account.

  • i need to revoke the Access Token and Refresh Token I have and My App Should be removed from the 'Microsoft Portal-> privacy -> Apps and Services That can Access your Data '
    so that the user can be sure that the Integration is removed.

This feature is available with google's API's Google Revoke Access Link. So when i Hit this api with my refresh token all the access is removed and my App disappears from the 'google dashboard->apps which access your data' screen too.

Can you guys please help me find if this is Available with Microsoft's API and Point me towards it
Thanks

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

谜兔 2025-02-14 14:19:45

将无效的应用程序为用户生成的刷新令牌,这也使给用户浏览器中的会话cookie发出的代币无效。

注:
一个小时的aliftime

在此期间,即使删除了应用程序,也有
机会仍然可用。 Azuread发行刷新令牌
使用资源的访问令牌。

如果撤销了,则用户不会
访问令牌到期后,能够再次获得令牌。

要在访问令牌的寿命之间撤销授权,请查看以下命令。

CMDLET通过重置RefreshTokenSvalidFromDateTime运行
用户属性到当前日期和时间。

ex: 使用powershell 

PS C:\> Revoke-AzureADUserAllRefreshToken -ObjectId "a1dxxxxx-7xx6-4xxd-axxx-b7xxxxxxxa33"
  • 此命令基于指定用户的刷新代币
    用户的对象ID。

使用Microsoft Graph API 

POST https://graph.microsoft.com/{version}/users/{userobject_id}/invalidateAllRefreshToken`

  • 相同的操作,其中如下命令(powerShell)吊销了刷新令牌的当前记录的刷新令牌
    用户。

    revoke-azureadsignedinuserallrefreshtoken

  • 作为 admin ,您可以从“用户和组”中删除用户
    企业应用程序的部分

  • 如果用户已同意该应用程序以访问应用程序,以及
    需要用户分配吗?设置为“属性”,然后
    用户可以直接转到门户并删除应用程序。

在上述两种情况下访问我的应用程序门户时,该应用程序将看不到该应用程序。

注意:当不需要用户分配时,未分配的用户看不到
他们的应用程序上的应用程序。

您可以将以下脚本用于 从应用程序中删除用户和角色 

$user = get-azureaduser -ObjectId <objectId>
$spo = Get-AzureADServicePrincipal -ObjectId <objectId>

#为分配给用户的角色分配ID

$assignments = Get-AzureADServiceAppRoleAssignment -ObjectId $spo.ObjectId | Where {$_.PrincipalDisplayName -eq $user.DisplayName}

#below cmd将显示为wha thal分配

$assignments | Select *

#在下面命令下方删除Applore分配检查。

Remove-AzureADServiceAppRoleAssignment -ObjectId $spo.ObjectId -AppRoleAssignmentId $assignments[assignment #].ObjectId

参考:

  2. Azure Active Directory的紧急情况访问 -
    Microsoft Entra |微软文档

The Revoke-AzureADUserAllRefreshToken will invalidate applications refresh tokens generated for user which also invalidates tokens issued to session cookies in a browser for the user.

NOTE: So if the user has access or granted access to the application, Azure AD will generate an access token which has
alifetime of one hr.

During this time even if app is deleted ,there are
chances it is still available . Azuread issues a refresh token along
with access token for the resource.

If this is revoked ,the user wont
be able to obtain the token again after the access token expires.

To revoke authorization in between the life span of the access token, please check below commands.

The cmdlet operates by resetting the refreshTokensValidFromDateTime
user property to the current date and time.

Ex: using powershell

PS C:\> Revoke-AzureADUserAllRefreshToken -ObjectId "a1dxxxxx-7xx6-4xxd-axxx-b7xxxxxxxa33"
  • This command revokes refresh token of the specified user based on
    object id of user.

Same operation using Microsoft graph API

POST https://graph.microsoft.com/{version}/users/{userobject_id}/invalidateAllRefreshToken`

  • Where as below command(powershell) revokes refresh token for current logged in
    user.

    Revoke-AzureADSignedInUserAllRefreshToken

  • As the admin ,you can remove user from the "Users and groups"
    section of the enterprise app.

enter image description here

  • If the user has consented to the application to access app and if
    User assignment required? Is set to no under properties, then the
    user can directly go to portal and delete the app.

The app will not be visible for that user when visiting the My apps portal in both the above cases.

Note:When user assignment is not required, unassigned users don't see
the app on their My Apps.

You can use the following script to remove a user and role from an application:

$user = get-azureaduser -ObjectId <objectId>
$spo = Get-AzureADServicePrincipal -ObjectId <objectId>

#Get the ID of role assignment which is assigned to user to unassign

$assignments = Get-AzureADServiceAppRoleAssignment -ObjectId $spo.ObjectId | Where {$_.PrincipalDisplayName -eq $user.DisplayName}

#below cmd will show wha tall is assigned

$assignments | Select *

#In order to remove the Approle assignment check below command.

Remove-AzureADServiceAppRoleAssignment -ObjectId $spo.ObjectId -AppRoleAssignmentId $assignments[assignment #].ObjectId

References:

  1. Delete oAuth2PermissionGrant (a delegated permission grant) -
    Microsoft Graph v1.0 | Microsoft Docs
  2. Revoke user access in an emergency in Azure Active Directory -
    Microsoft Entra | Microsoft Docs
回复 原文
~没有更多了~

关于作者

好久不见√

暂无简介

文章
评论
27 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

alipaysp_snBf0MSZIv

文章 0 评论 0

梦断已成空

文章 0 评论 0

瞎闹

文章 0 评论 0

凯凯我们等你回来

文章 0 评论 0

寄意

文章 0 评论 0

似梦非梦

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文