Share via

Issues in revoking B2C Sessions Globally

Lakindu Hewawasam 0 Reputation points
2025-02-24T05:57:22.19+00:00

Hi,

I have an application that leverages custom policies for authentication on Azure ADB2C. The issues lies when signing a user out of the application.

I'm implementing a scenario where when a user logs out, they log out from all sessions that they maintain globally. To do so, we call the revoke sign in sessions method from the Graph API.

But, we found out that the session isn't cleared for the user when logging out and the user is able to maintain the session and refresh the credentials at ease.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-02-25T10:32:23.8066667+00:00

    Hello @Lakindu Hewawasam

    Thank you for posting your query on Microsoft Q&A.

    Ensure you implement and leverage Single sign-out to remove invalidate/remove all session cookies. The revokeSignInSessions operation does not remove it so extra steps must be taken. This issue has been around for a long time. As far as I know, the Graph API does not yet support revoking sessions for Azure AD B2C users.

    Refer similar thread: https://learn.microsoft.com/en-us/answers/questions/75189/azure-b2c-revoke-refresh-tokens

    https://learn.microsoft.com/en-us/answers/questions/1443262/revoke-refresh-tokens-session-in-azure-ad-b2c

    Document: https://learn.microsoft.com/en-us/graph/api/user-revokesigninsessions?view=graph-rest-1.0&tabs=http

    https://learn.microsoft.com/en-us/entra/identity-platform/scenario-web-app-sign-user-sign-in?tabs=aspnetcore#sign-out

    Revoking the sessions clears the refresh token but doesn't expire the SSO cookies in the browser.

    Using custom policies you need to implement the following:

    https://github.com/azure-ad-b2c/samples/tree/master/policies/revoke-sso-sessions

    To test the policy:

    1. Use the SignUpOrSignIn policy to sign in or sign up.
    2. Wait 10 seconds, then using Powershell to revoke the user's refresh token:

    Revoke-AzureADUserAllRefreshToken -ObjectId <GUID>.

    1. Launch the SignUpOrSignIn policy or the ProfileEdit policy (remove the prompt query parameter).
    2. Ensure that &prompt=login is removed.

    See also: revokeSignInSessions

    I hope this clarifies things. Please contact us if you have any additional questions.  

    If this answers your query, do click Accept Answer and Yes for "Was this answer helpful". And, if you have any further query do let us know.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.