About session revocation

Session revocation allows administrators to terminate or revoke the session token if a device is out of compliance and the UEM policy action is blocked or a device is retired. The revocation prevents out of compliance and retired devices from continuing to use a session token on the device to access the cloud service. Session revocation impacts the sessions of the managed applications (service provider) on all the devices that the user uses to access the cloud service. After a session token is revoked, the user has to re-authenticate with the service provider through Access to get a new session token. When the user tries to re-authenticate, Access enforces conditional policies and unblocks the app.

You can update the compliance policies in Core > Policies & Configs > Compliance Policies.

Comliance policy

  • Support for policy action based Session revocation

  • Access Session revocation service (SRS) workflows are improved to consider UEM (Core) policy action configurations

  • Session revocation is triggered only for those devices which are non compliant and also have a blocking action setup against the corresponding policy

  • Session revocation actions is also triggered for other device states such as quarantine, wipe, and retire

  • For all other cases of violation, if there is a non blocking action (such as email, monitor, notify, etc) no action will be taken by Access

Session revocation is supported for Access deployments for Office 365 using the Azure Graph API and G Suite using Google API console. However, the session revocation feature is not supported for Access + Standalone Sentry deployments.

  • Session revocation is not supported with Connected Cloud.

  • To start session revocation, Access verifies the compliance action configured on UEM when the device goes out of compliance and the actions configured against them. For Cloud or Core deployments, session revocation is triggered if the device is out of compliance and the compliance action is either block or quarantine. Session revocation is also triggered if the device is Wiped or Retired.

  • To start session revocation, Access verifies the compliance action configured on UEM when the device goes out of compliance and the actions configured against them. For Core deployments, session revocation is triggered if the device is out of compliance and the compliance action is block. Session revocation is not triggered if the action is SendAlert.