Hi @Hafiz Abdul Haseeb ,
Thanks for reaching out.
I understand you are looking to invalidate the old refresh token whenever you will get new access and refresh token.
Refresh tokens replace themselves with a fresh token upon every use. The Microsoft identity platform doesn't revoke old refresh tokens when used to fetch new access tokens.
There is currently no way to revoke the old refresh token, you just need to not use it, it will expire automatically after the lifetime expires. MaxInactiveTime prevents access if the client tries to access any resource by using the old refresh token after the specified period of time, which can be configured between min 10 minutes to max 90 days.
However, there is a way to revoke all refresh tokens though, but this will also invalidate your new refresh token.
You can revoke the refresh token of the signed-in user using below Graph API.
POST https://graph.microsoft.com/v1.0/me/revokeSignInSessions
I would suggest you post this idea at the Azure Feedback Portal, which is monitored by the product team for feature enhancements.
Hope this will help.
Thanks,
Shweta
Please remember to "Accept Answer" if answer helped you.