This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 7.000000000000001%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
I think I am running into a bug with AAD external user.
Here is my scenario:
I have AAD member type user account. I have an app registration setup for authorization code flow.
I am able to checkout an access token, refresh token. If I revoke the session from going into AAD --> User--> Revoke session, then further access token request with the refresh token fails. This works perfectly as expected.
However I have an external guest user . I perform same scenario. However revoking session doesnt invalidate refresh token. I am able to use refresh token and get a new access token. In other words revoke session is not working for external guest user. Pls see screen short. I am performing the api calls with postman.
@Martin Kallukalam
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 62%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMF%3C/text%3E%3C/svg%3E)
no further question. I have submitted a feature request to address this rather important shortcoming with invited guest user
I'd say that's by design. External users do not authenticate against your tenant, but against their "home" tenant. Thus any "revoke" action you perform will have no effect. If you want to prevent further access, you can block the user.
I doubt that is by design.
I agree external user is not authenticating against the tenant. However the oauth2 access, refresh token is issued by app registration which is a standard oauth2 flow.
So a user requesting an access token and refresh token regardless of how the authentication is performed, should behave same with respect to oauth2 mechanism.
I dont think a tenant user or a b2b external use should behave differently when it comes to oauth2 mechanism.
If AAD is issuing the oauth2 access and refresh token, it should very well be able to revoke the refresh token. PLs not refresh token is issued by AAD and not by the external user's tenant.
I am inclined to say this is fundamentally broken when it comes to a guest user plus it is a flaw in the mechanism if an external guest user can check out an access, refresh token by AAD, however AAD is not able to revoke the refresh token.
Can someone from development, engineering look into it.
The operation in question revokes ALL tokens, not the ones specific to your application. You wouldn't expect an admin in Contoso's tenant to be able to revoke all issued tokens across all apps and tenants for a user from Fabrikam's tenant, just because said users is added as Guest.
Actually, here's a quote from the documentation:
Thank you for the document reference.
Here is couple of concerns I have on this:-
Here is screen shot for #3.
I disabled the external user.
I am unable to get a new access token using refresh token
I reenable user
I am able to use the same refresh token to obtain a new access token.
So I am at a loss, how do I protect against the compromised refresh token?
I even went ahead and reset the b2b invitation state. No effect on refresh token. With same Refresh token I am able to obtain a new access token. This is very scary security situation. In other words a refresh token compromised can compromise data security with absolutely no way to revoke user access to the data.
I won't argue that the current experience is far from ideal, just trying to explain why the "revoke all sessions" action does not work in this case.
Quoting another user who reported the same issue
https://learn.microsoft.com/en-us/answers/questions/362668/how-to-revoke-a-b2b-active-directory-refresh-token
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @Martin Kallukalam ,
Thanks for reaching out.
Vasil Michev answered to your query accurately. This behavior is expected by design.
I can understand your concern regarding security and token thefts.
Unfortunately, there is no way to invalidate a refresh token once it has been issued for guest users.
As suggested you can block the user by disabling the account or block access using cross tenant access.
Reference - Cross-tenant access overview - Azure AD - Microsoft Entra | Microsoft Docs
When Cross Tenant Access Policy is set to block access for all apps by an admin for a particular Guest User, operation start failing intermittently almost immediately with error messages, and you can collaborate with guest user to update the credentials.
As our team is working from security perspective in Microsoft Entra, you are welcome to leave your feedback in the feedback portal. https://feedback.azure.com/
Hope this will help.
Thanks,
Shweta
Shweta
I have posted a "share idea" on Azure feedback.
I understand it is working as designed, but it is broken functionality wise. Unable to revoke a guest user's access leave the organization vulnerable to bad actors . I have posted a feedback for a feature request. I think the B2B guest user functionality is unusable unless this can be mitigated .
Thanks for looking into this and providing documental support for this.
Martin Kallukalam We noticed your feedback that the answer on this thread was not helpful. Thank you for taking time to share your feedback. I have provided the answer to your query and understand your concern as well. Hoping your feedback help us to make our product better. Kindly let us know what we could have done better to improve the answer and make your experience better. Also, I would humbly request that you retake the survey for your experience on this thread. However, if you still feel that the options provided are not satisfactory, please let me know how I can further assist! Looking forward to your reply. Much appreciate your feedback! Thanks, Shweta
Shweta
The answer was helpful however there was no solution offered. Bottom line is there is no way to revoke the refresh token of an invited guest user.
I dont quite understand why - because the token is issued by Azure AD . In the case of an invited email guest user, the token is not issued by the tenant in which user reside, infact the user may or may not have a tenant. For instance in the case of a yahoo email.
So it eventually falls upon AAD to revoke the token which was issued by AAD.
You pointed me in the direction that this is how it works as per design but it doesnt resolve the issue.
Thanks for pointing me in the direction that it is how it works so that atleast I know I am not running into an anomaly.