How to invalidate user session tokens (Id_Token, Refresh_Token) upon password change

Shekhar Nadide 186 Reputation points

Is it possible to invalidate/kill the user session tokens (Id_Token, Refresh_Token) whenever the user changes their password? If yes, how can it be done?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,850 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 97,076 Reputation points MVP

    They will be invalidated by default due to the Continuous Access Evaluation feature supported by first-party Microsoft apps. If you have your own app and want to support such behavior, follow the instructions here to implement CAE support:

    0 comments No comments