Hello @Lakindu Hewawasam
Thank you for posting your query on Microsoft Q&A.
Ensure you implement and leverage Single sign-out to remove invalidate/remove all session cookies. The revokeSignInSessions
operation does not remove it so extra steps must be taken. This issue has been around for a long time. As far as I know, the Graph API does not yet support revoking sessions for Azure AD B2C users.
Refer similar thread: https://learn.microsoft.com/en-us/answers/questions/75189/azure-b2c-revoke-refresh-tokens
Document: https://learn.microsoft.com/en-us/graph/api/user-revokesigninsessions?view=graph-rest-1.0&tabs=http
Revoking the sessions clears the refresh token but doesn't expire the SSO cookies in the browser.
Using custom policies you need to implement the following:
https://github.com/azure-ad-b2c/samples/tree/master/policies/revoke-sso-sessions
To test the policy:
- Use the SignUpOrSignIn policy to sign in or sign up.
- Wait 10 seconds, then using Powershell to revoke the user's refresh token:
Revoke-AzureADUserAllRefreshToken -ObjectId <GUID>.
- Launch the SignUpOrSignIn policy or the ProfileEdit policy (remove the prompt query parameter).
- Ensure that &prompt=login is removed.
See also: revokeSignInSessions
I hope this clarifies things. Please contact us if you have any additional questions.
If this answers your query, do click Accept Answer and Yes for "Was this answer helpful". And, if you have any further query do let us know.