How to invalidate user session tokens (Id_Token, Refresh_Token) upon password change

Shekhar Nadide 186 Reputation points
2024-04-18T15:14:20.2066667+00:00

Is it possible to invalidate/kill the user session tokens (Id_Token, Refresh_Token) whenever the user changes their password? If yes, how can it be done?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,850 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 97,076 Reputation points MVP
    2024-04-18T16:09:43.8+00:00

    They will be invalidated by default due to the Continuous Access Evaluation feature supported by first-party Microsoft apps. If you have your own app and want to support such behavior, follow the instructions here to implement CAE support: https://learn.microsoft.com/en-us/entra/identity-platform/app-resilience-continuous-access-evaluation?tabs=dotnet

    0 comments No comments