English / Microsoft Entra

Microsoft Entra: “Revoke sessions” now invalidates all user sessions

8. March 2026

As published last October, Microsoft has updated the Revoke multifactor authentication sessions action in Microsoft Entra.
Previously, this action applied only to the legacy per-user MFA enforcement, not to the recommended MFA configuration via Conditional Access.

"Revoke multifactor authentication sessions" has been updated
“Revoke multifactor authentication sessions” has been updated

The updated “Revoke sessions” action invalidates all user sessions, including MFA, regardless of whether MFA is enforced via Conditional Access or per-user policies. This action triggers revokeSignInSessions via Microsoft Graph.

"Revoke sessions" invalidates all user sessions
“Revoke sessions” invalidates all user sessions

Confirming the action.

Confirming the action
Confirming the action

The action resets signInSessionsValidFromDateTime and is logged under the audit activity Update StsRefreshTokenValidFrom Timestamp.

Audit log for the account
Audit log for the account

The affected account will be required to re-authenticate on all connected devices.

Session revocation can also be directly triggered via Microsoft Graph.
As Microsoft documents, the remediation steps are to disable the account, revoke the session, and disable the associated devices.

PowerShell
Import-Module Microsoft.Graph.Authentication 
Connect-MgGraph -Scopes "User.ReadWrite", "Directory.AccessAsUser.All"

$UPN = "<UserPrincipalName>"
$UserObject = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/users/$UPN"

# Disable the account
$Body = '{ "accountEnabled": false }'
$Url = "https://graph.microsoft.com/v1.0/users/$($UserObject.id)"
Invoke-MgGraphRequest -Method PATCH -Uri $Url -Body $Body -ContentType "application/json"

# Revoke all refresh tokens
$Url = "https://graph.microsoft.com/v1.0/users/$($UserObject.id)/revokeSignInSessions"
Invoke-MgGraphRequest -Method POST -Uri $Url

# Disable all registered devices
$Url = "https://graph.microsoft.com/v1.0/users/$($UserObject.id)/registeredDevices"
$UserDevices = Invoke-MgGraphRequest -Method GET -Uri $Url

foreach ($Device in $UserDevices.value) {
    $Body = '{ "accountEnabled": false }'
    $Url = "https://graph.microsoft.com/v1.0/devices/$($Device.id)"
    Invoke-MgGraphRequest -Method PATCH -Uri $Url -Body $Body -ContentType "application/json"
}

Tags:

Share
Avatar photo

Tobias Asböck

Tobias is a Senior System Engineer with more than 10 years of professional experience with Microsoft 365 products such as SharePoint Online, SharePoint Premium, OneDrive for Business, Teams Collaboration, Entra ID, Information Protection, Universal Print, and Microsoft 365 Licensing. He also has 15+ years of experience planning, administering, and operating SharePoint Server environments. Tobias is a PowerShell Scripter with certifications for Microsoft 365 products. In his spare time, Tobias is busy with updates in the Microsoft 365 world or on the road with his road bike and other sports activities. If you have additional questions, please contact me via LinkedIn or [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *