Share via

Azure AD B2C - SSO with Azure Entra doesn't send IDP refresh token

Maxime D 0 Reputation points
2025-03-11T16:44:15.7433333+00:00

Hi,

I have an Azure AD B2C instance that allows you to connect via SSO with an Azure Entra IDP. The connection works fine and I tried to add the IDP access token and the IDP refresh token in order to use the Graph APIs. The IDP access token is correctly returned in the issued jwt token, but not the refresh token.

I followed the procedure indicated here:

https://learn.microsoft.com/en-us/azure/active-directory-b2c/idp-pass-through-user-flow?pivots=b2c-custom-policy#pass-the-idp-refresh-token-optional

But it does not work and I have no errors in the insights logs

How to ensure that the refresh token is correctly returned?

Thank you,

Maxime

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,672 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Harshitha Eligeti 1,930 Reputation points Microsoft External Staff
    2025-03-17T12:36:43.9533333+00:00

    Hello @Maxime D
    I Understand that you are trying to pass the refresh token with IDP access token using azure AD B2C To connect via SSO with an Azure Entra IDP. You’ve followed the recommended procedure, but the refresh token isn’t being returned, and there are no errors in the logs.To ensure that the refresh token is correctly returned in your Azure AD B2C custom policy, you need to verify that the <IncludeInSso> element is set to True within your technical profiles. By default, this is usually set to True, but if it's set to False, it can affect the issuance of the refresh token, as the token may not be included in the session.
    Example:

    <TechnicalProfile Id="AAD-Common">
  <DisplayName>Azure Active Directory</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.AzureActiveDirectoryProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <CryptographicKeys>
    <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
  </CryptographicKeys>
  <!-- We need this here to suppress the SelfAsserted provider from invoking SSO on validation profiles. -->
  <IncludeInSso>false</IncludeInSso>
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>

    Refer this document: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-technical-profile#protocol
    When a technical profile doesn't reference any session management provider, the DefaultSSOSessionProvider session provider is applied, which may cause unexpected behavior.

    Hope this helps if you are still facing the issue let us know. Happy to help.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.