Remove M365 login credentials with command line and revoke OAUTH2 tokens with MGGRAPH

1 Introduction
2 Delete stored credentials on the Windows device
3 Revoke oAuth2 tokens

Introduction

Windows stores information relating to “credentials” in its identity manager. When a connection problem occurs, it may be useful to delete these stored “credentials”. It is possible to do this from the command line using the CMDKEY tool and thus provide a shortcut to a .CMD file that can help troubleshoot a user.

It is also possible, especially in the event of a security issue, to decide to revoke the access tokens at the M365 account level. In this case, the credentials on the devices will no longer work and new authentications will take place interactively or via SSO.

Delete stored credentials on the Windows device

To list all the “credentials” stored on a Windows 10 client workstation, all you have to do is use the following command (with the account of the user concerned):

cmdkey /list

You can use cmdkey /delete to detele a credential

To delete only the “credentials” stored by OneDrive, just filter on the keyword “onedrive”:

FOR /F "tokens=1,3 delims= " %G in ('cmdkey /list ^| findstr /I onedrive') DO cmdkey /delete:%H

To remove only the “credentials” stored for Teams, just filter on the keyword “teams”:

FOR /F "tokens=1,3 delims= " %G in ('cmdkey /list ^| findstr /I teams') DO cmdkey /delete:%H

Note: It is common to have multiple Teams credentials because you can have a credential for the user’s account and for their guest accounts (from other tenants).

Revoke oAuth2 tokens

It is possible to revoke a user’s tokens via the MGGRAPH administration module in PowerShell. The Revoke-MgUserSignInSession command allows an administrator to reset the refreshTokensValidFromDate field of a user, thereby rendering their tokens invalid.

To do this, you need to connect to MGGRAPH with the rights ‘User.RevokeSessions.All, User.ReadWrite.All, Directory.ReadWrite.All’. According to Microsoft’s documentation, these rights do not exist in delegate mode, but in fact, these delegated rights exist.

Connect with the following command:

connect-mggraph -scope User.RevokeSessions.All, User.ReadWrite.All, Directory.ReadWrite.All

Search for the ID of the concerned user with a get-mguser command or directly use the UserPrincipalName of the user with the Revoke-MgUserSignInSession command.

Revoke-MgUserSignInSession -UserId user@your_domain.com

By Lionel TRAVERSE
Microsoft 365 Certified Administrator Expert / Microsoft Certified Trainer