Updated Revoke-AADSignInSessions Playbooks Instructions

v-kasghosh · v-kasghosh · commit ac0ddea40bf4 · 2025-12-04T16:28:50.000+05:30
diff --git a/Solutions/Microsoft Entra ID/Package/3.3.7.zip b/Solutions/Microsoft Entra ID/Package/3.3.7.zip
diff --git a/Solutions/Microsoft Entra ID/Package/mainTemplate.json b/Solutions/Microsoft Entra ID/Package/mainTemplate.json
diff --git a/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json
@@ -5,7 +5,7 @@
         "title": "Revoke-Entra ID SignInSessions alert trigger",
         "description": "This playbook will revoke all signin sessions for the user using Graph API.  It will send an email to the user's manager.",
         "prerequisites": ["1. You must create an app registration for graph api with appropriate permissions.", "2.  You will need to add the managed identity that is created by the logic app to the Password Administrator role in Microsoft Entra ID."],
-        "postDeployment": ["1. Add Microsoft Sentinel Responder role to the managed identity.", "2. Assign User.ReadWrite.All and Directory.ReadWrite.All API permissions to the managed identity.","3. For more detailed steps [click Here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Playbooks/Revoke-AADSignInSessions/readme.md)"],
+        "postDeployment": ["1. Add Microsoft Sentinel Responder role to the managed identity.", "2. Assign User.RevokeSessions.All API permissions to the managed identity.","3. For more detailed steps [click Here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Playbooks/Revoke-AADSignInSessions/readme.md)"],
         "comments": "This playbook will revoke all signin sessions for the user using Graph API using a Beta API.  It will send and email to the user's manager.",
         
         "lastUpdateTime": "2021-07-14T00:00:00.000Z",
diff --git a/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json
@@ -5,7 +5,7 @@
         "title": "Revoke Entra ID  Sign-in session using entity trigger",
         "description": "This playbook will revoke user's sign-in sessions and user will have to perform authentication again. It invalidates all the refresh tokens issued to applications for a user (as well as session cookies in a user's browser), by resetting the signInSessionsValidFromDateTime user property to the current date-time.",
         "prerequisites": "",
-    "postDeployment": ["1. Add Microsoft Sentinel Responder role to the managed identity.", "2. Assign User.ReadWrite.All and Directory.ReadWrite.All API permissions to the managed identity.","3. For more detailed steps [click Here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Playbooks/Revoke-AADSignInSessions/readme.md)"],
+    "postDeployment": ["1. Add Microsoft Sentinel Responder role to the managed identity.", "2. Assign User.RevokeSessions.All API permissions to the managed identity.","3. For more detailed steps [click Here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Playbooks/Revoke-AADSignInSessions/readme.md)"],
     "prerequisitesDeployTemplateFile": "",
     "lastUpdateTime": "2022-12-22T00:00:00.000Z",
 "entities": ["Account"],
diff --git a/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json
@@ -4,7 +4,7 @@
     "metadata": {
         "title": "Revoke Entra ID SignIn Sessions - incident trigger",
         "description": "This playbook will revoke all signin sessions for the user using Graph API.  It will send an email to the user's manager.",
-        "postDeployment": ["1. Add Microsoft Sentinel Responder role to the managed identity.", "2. Assign User.ReadWrite.All and Directory.ReadWrite.All API permissions to the managed identity.","3. For more detailed steps [click Here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Playbooks/Revoke-AADSignInSessions/readme.md)"],
+        "postDeployment": ["1. Add Microsoft Sentinel Responder role to the managed identity.", "2. Assign User.RevokeSessions.All API permissions to the managed identity.","3. For more detailed steps [click Here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Playbooks/Revoke-AADSignInSessions/readme.md)"],
         "lastUpdateTime": "2024-01-08T00:00:00.000Z",
         "entities": [
             "Account"
diff --git a/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/readme.md b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/readme.md
@@ -39,13 +39,13 @@ After deployment, you can run this playbook manually on an alert or attach it to
     - Select Resource group - where Playbook has been created
     - Select Role - Microsoft Sentinel Responder
     - Click Save (It takes 3-5 minutes to show the added role.)
-3. You will need to grant User.ReadWrite.All permissions to the managed identity.  Run the following code replacing the managed identity object id.  You find the managed identity object id on the Identity blade under Settings for the Logic App.
+3. You will need to grant User.RevokeSessions.All permissions to the managed identity.  Run the following code replacing the managed identity object id.  You find the managed identity object id on the Identity blade under Settings for the Logic App.
 ```powershell
 $MIGuid = "<Enter your managed identity guid here>"
 $MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
 
 $GraphAppId = "00000003-0000-0000-c000-000000000000"
-$PermissionName = "User.ReadWrite.All" 
+$PermissionName = "User.RevokeSessions.All" 
 
 $GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
 $AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
diff --git a/Solutions/Microsoft Entra ID/ReleaseNotes.md b/Solutions/Microsoft Entra ID/ReleaseNotes.md
@@ -1,5 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                                                                                                                                         |
 | ----------- | ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| 3.3.7       | 04-12-2025                     | Updated Revoke-AADSignInSessions **Playbooks** Instructions |
 | 3.3.6       | 23-09-2025                     | Updated  **Analytical Rule** to fix the rule saving issue. <br/> Removed Preview Designation from **Microsoft Entra ID Connector** Data Types.  | 
 | 3.3.5       | 25-07-2025                     | Updated Entra id Conditional Access (prefix) **Analytical Rule** |
 | 3.3.4       | 10-07-2025                     | Updated **Analytical Rule** NRT_UseraddedtoPrivilgedGroups.yaml and UseraddedtoPrivilgedGroups.yaml
