Coming Soon: Session Management and Instant Token Revocation
March 1, 2026 · GrantFlow Team
For a privileged access management platform, controlling session lifetime and having the ability to revoke access instantly is non-negotiable. GrantFlow is introducing application-level session management that goes beyond what Entra ID's built-in token lifecycle provides — giving administrators real-time control over who is logged in and the ability to terminate sessions immediately.
Feature in Development
This feature is currently in development. Details, functionality, and timelines described in this post may change before the final release.
Why Application-Level Sessions?
Entra ID issues tokens with a fixed lifetime of 60–90 minutes, and those tokens cannot be revoked on demand. For a PAM system, that creates two gaps:
- Session lifetimes are too long. A 90-minute window is acceptable for general-purpose apps, but not for a platform that grants privileged access. GrantFlow will enforce a shorter maximum session age — 15 minutes by default.
- No instant revocation. If a security incident requires blocking a user immediately, waiting up to 90 minutes for the token to expire is not an option. GrantFlow will provide instant session termination so any session can be ended immediately.
How It Works
GrantFlow validates every request against its own session layer on top of the standard Entra ID authentication. If a session has been revoked or has exceeded the maximum age, the user is prompted to re-authenticate immediately — with a clear Session Expired page rather than a confusing redirect.
Session revocation takes effect on the next request, so there is no window where a terminated session can still perform actions.
Admin Session Dashboard
A new admin view lets you see all active sessions across your tenant and take action:
- Active session list — see who is logged in, from which browser and IP address, and when the session started
- Revoke a session — terminate a specific session. The user is prompted to re-authenticate on their next request.
- Revoke all sessions for a user — block every active session for a user at once. Useful during incident response or offboarding.
- Real-time updates — the dashboard refreshes live when sessions are created or revoked
Every revocation is logged in the audit trail with the admin who performed it, the target user, and the reason.
Resilience and Tenant Isolation
The system is designed to fail closed — if any component is temporarily unavailable, GrantFlow denies the request rather than allowing a potentially revoked session through.
Session data is stored per-tenant, maintaining the same strict tenant isolation as the rest of GrantFlow's data model.
Configuration
Session behavior is configurable through the admin settings in the GrantFlow web interface. Each tenant can adjust:
- Maximum session age — defaults to 15 minutes
What This Means for You
When session management ships, it will be enabled automatically for all tenants with sensible defaults. No configuration changes are required. Administrators will find the new session views in the admin menu, and users will experience seamless re-authentication prompts when sessions expire.