We are hoping to add the step in our compromised account remediation workflow to revoke user's active signin sessions, however one of the permissions that the documentation says is required for this action (Directory.ReadWrite.All) is not something our Domain/Entra admins are comfortable with turning over to an always active service account. Has anyone else may have used the Entra spoke and the revoke session action and played around with reducing the graph permissions and had any success, and if so could you share what you used.
Thanks,
Jeff
