Invalidate old Refresh Token after using it to get new access and refresh token

Hafiz Abdul Haseeb 1 Reputation point
2023-01-10T13:34:58.747+00:00

Hi,

Is there a way in AzureAD to invalidate the refresh token everytime it's used to get a new access token and new refresh token?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,100 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 26,721 Reputation points Microsoft Employee
    2023-01-11T06:35:12.2466667+00:00

    Hi @Hafiz Abdul Haseeb ,

    Thanks for reaching out.

    I understand you are looking to invalidate the old refresh token whenever you will get new access and refresh token.

    Refresh tokens replace themselves with a fresh token upon every use. The Microsoft identity platform doesn't revoke old refresh tokens when used to fetch new access tokens.

    There is currently no way to revoke the old refresh token, you just need to not use it, it will expire automatically after the lifetime expires. MaxInactiveTime prevents access if the client tries to access any resource by using the old refresh token after the specified period of time, which can be configured between min 10 minutes to max 90 days.

    However, there is a way to revoke all refresh tokens though, but this will also invalidate your new refresh token.

    You can revoke the refresh token of the signed-in user using below Graph API.

    POST https://graph.microsoft.com/v1.0/me/revokeSignInSessions

    I would suggest you post this idea at the Azure Feedback Portal, which is monitored by the product team for feature enhancements.

    Hope this will help.

    Thanks,

    Shweta


    Please remember to "Accept Answer" if answer helped you.

    0 comments No comments