Workflow to trigger Entra ID Revoke Sessions

Identity Security Cloud (ISC) ISC Discussion and Questions
,
21

I have used tenantid in the url to generate the token and also give the resource that you have mentioned. But receiving the same error…

Any additional configuration we need to do??

image
image1366×748 61.7 KB

22

Hi Shantha,

In your screenshot, your body has these parameters listed in your screenshot: grant_type, client_id, client_secret, and resource.

The last one, “resource”, is not a valid parameter and instead should be “scope”. Please take a look at my screenshot for the keys/values I am using in my body, “resource” does not exist.

image
image999×370 35.5 KB

Thank you,

  • Zach
1 Like
23

Omg!! it works in postman… Let me try this in ISC and let you know if it works…
Thanks @zachm117 for noting this. :grinning: :grinning:

24

It works in WF but i want to get the access token in the next HTTP Request it is possible. Because i tried this $.hTTPRequest.body.access_token in next httpRequest but it throws request failed error.

25

Hi Shantha,

What is the need to pass the access token to another action? If you need another HTTP request to be called, just set it up the same way as the first one to generate another token for that second action.

Thank you,

  • Zach
2 Likes
26

Thanks @zachm117 it really helps me a lot.

27

No problem at all. Glad we got it working!

1 Like
28

Hello everyone,
I am also running into a similar issue while authenticating using client credentials. We have registrered the app and provided the necessary graph api permisions and added client creds to the app.

image
image1845×849 92.3 KB

We are looking to implement revokesigninsessions graph api so users are signed out of sessions upon termination.
Revoke signinsessions Graph api documentation: user: revokeSignInSessions - Microsoft Graph v1.0 | Microsoft Learn

Here is the HTTP post workflow configuration:

image
image548×777 19.3 KB

image
image548×849 18.2 KB

Error in sailpoint workflow:

image
image1340×861 44.8 KB

Here is the insomnia (similar tool like postman) configuration and the error:

image
image802×813 24.6 KB

What is missing here? I am not able to pinpoint. Did anyone do this successfully?

Thank you.

29

Can you give the Credential Location as Body in the workflow and try.

30

I tried it and got same error.

{
  "authenticationType": "OAuth",
  "basicAuthPassword": null,
  "basicAuthUserName": null,
  "csvRequestBody": null,
  "formRequestBody": null,
  "headerAuthName": null,
  "headerAuthValue": null,
  "jsonRequestBody": null,
  "method": "post",
  "oAuthClientId": "bb7b2cff-c2f4-4a39-bfbd-3f932e384c32",
  "oAuthClientSecret": "$.secrets.1dfc66fc-9b19-4985-9c92-218c7351abce",
  "oAuthCredentialLocation": "oAuthInHeader",
  "oAuthScope": "https://graph.microsoft.com/.default",
  "oAuthTokenUrl": "https://login.microsoftonline.com/14b42516-568f-483b-a141-800cfd1be324/oauth2/v2.0/token",
  "requestContentType": "json",
  "requestHeaders": null,
  "textRequestBody": null,
  "url": "https://graph.microsoft.com/v1.0/users/[email protected]/revokeSignInSessions",
  "urlParams": null
}
31

I can see the OAuthCredentialLocation is still in Header not in Body. can you double check this?

32

sorry there was a copy paste error. but same error

{
  "authenticationType": "OAuth",
  "basicAuthPassword": null,
  "basicAuthUserName": null,
  "csvRequestBody": null,
  "formRequestBody": null,
  "headerAuthName": null,
  "headerAuthValue": null,
  "jsonRequestBody": null,
  "method": "post",
  "oAuthClientId": "bb7b2cff-c2f4-4a39-bfbd-3f932e384c32",
  "oAuthClientSecret": "$.secrets.1dfc66fc-9b19-4985-9c92-218c7351abce",
  "oAuthCredentialLocation": "oAuthInBody",
  "oAuthScope": "https://graph.microsoft.com/.default",
  "oAuthTokenUrl": "https://login.microsoftonline.com/14b42516-568f-483b-a141-800cfd1be324/oauth2/v2.0/token",
  "requestContentType": "json",
  "requestHeaders": null,
  "textRequestBody": null,
  "url": "https://graph.microsoft.com/users/[email protected]/revokeSignInSessions",
  "urlParams": null
}
33

Can anyone provide me the steps that was performed in azure ad for the setup? Did you have to set up any redirect uri under the app? Does the app need to be registered account types as “accounts in any organization directory”?

34

Can you send the WF script so that i can see what is missing?

35

O365SignOutSession20250111.json (1.7 KB)
Just attached it here

36

For revocation use UPN/id instead of the email. Try the below API to get the users list and see whether the UPN and email in ISC are same if same then use email else use user ID attribute.

https://graph.microsoft.com/v1/users
37

Hello Shanta,
Are you able to provide me the postman configuration? I want to try to test it.

Our UPN is the same as email address.

38

Get Token Endpoint:

Untitled
Untitled1000×600 25.5 KB

Get Users:

image
image1489×361 29.4 KB

2 Likes
39

Ahh I was using the secret id instead of application (client id) in the authentication! This definitely helped me get the bearer token.

I am running into permission into 403 error “message”: “Insufficient privileges to complete the operation.”,

I tried to run the get/users graph api but still error:
GET https://graph.microsoft.com/v1.0/users

image
image1071×444 27.5 KB

Are there more permissions needed to be applied?

40

I was able to fix the permssion issue. It was pointing to a different duplicate app in azure.