Programmatic revocation of delegated permissions (full or partial) without admin may not work. Direct users to revoke access manually via Microsoft portals, as APIs require elevated permissions not available in your scenario. Even if you log users out and clear the token, this doesn't revoke permission.