This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 93%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
I haven't had any success revoking the B2C session cookies with /users/{id}/revokeSignInSessions endpoint. I can see that it actually updates the "refreshTokensValidFromDateTime" property, so probably not a permission issue. Rejecting refresh tokens from before that date in a custom policy during sign in has no effect. I guess the custom policy is not even being run because the session cookie is still valid. It also seems not to have an effect in the default signin user flow.
It is an issue in particular in combination with Keep Me Signed In and revoking access globally (not only in the current browser, so calling /logout endpoint not an option). Lowering access token or cookie lifetime, or changing SingleSignOn Scope attribute is not an option. Changing the user's password does not invalidate the cookie either. Only way to invalidate the cookies seems to be to set Scope=Policy and forcing that user to a different policy or disabling the user. Then leave it like that until cookie expires (after days specified in SingleSignOn KeepAliveInDays attribute).
Am I doing something wrong?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 32%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJR%3C/text%3E%3C/svg%3E)
Thanks @Morten Østerlund Jørgensen . Yes and this is expected and refresh tokens are revoked and its explained in the document - https://learn.microsoft.com/en-us/graph/api/user-revokesigninsessions?view=graph-rest-1.0&tabs=http
But according to the documentation you are linking to, it is supposed to also invalidate the cookie: "(as well as session cookies in a user's browser)".
So if that is not the case, there is no way to revoke the session cookies (than e.g. disabling the user, as I wrote)?
Thanks and this is the currently supported scenario. However you can verify by simply disabling the user, as we need to read the refreshTokenLastValidFrom timestamp on the user object. You could put a defaultValue for <OutputClaim ClaimTypeReferenceId="refreshTokenIssuedOnDateTime" />, and also adjust that it doesnt throw an error on failed lookup by adding the metadata item RaiseErrorIfClaimsPrincipalDoesNotExist:false
Not sure how you want me to disable the user. I was referring to disabling the user in our own app, so rejecting the token issued by B2C in our app. In Azure portal B2C tenant in the user's profile I only see the option "Block sign in (yes/no)". Setting "yes" does not affect a client that already has a cookie.
Setting default refreshTokenIssuedOnDateTime and RaiseErrorIfClaimsPrincipalDoesNotExist=false does not reject existing cookie either.
See attached XMLs. Don't want to upload my full XMLs here, so tried to remove the non-relevant parts.
75842-trustframeworkbase.xml75770-trustframeworkextensions.xml
Please follow the document to disable the user - https://learn.microsoft.com/en-us/answers/questions/84723/not-able-to-disable-user-account-using-accountenab.html
Patch https://graph.microsoft.com/v1.0/users/testuser1@.domain.onmicrosoft.com
Request Body - {"accountEnabled":"false"}
But what exactly do you want to achieve by disabling the user? Is it for you to be able to debug it? We don't want to disable the user. We want all cookies to be invalidated, but the legitimate owner of the account to be able to log in right afterwards.
It's very confusing what you are writing:
Thanks @Morten Østerlund Jørgensen and let me discuss internally with your scenario and will get back to you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 28.999999999999996%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
The Graph API command to revoke the session in respect to Azure AD B2C does not invalidate the B2C users session cookie. It only sets the refreshTokenLastValidFrom timestamp to the current time.
When using a SPA app, .Net App with PKCE flow, the users access token expiration will determine when the refresh token is subsequently used. If this exchange fails due to the /revoke endpoint being called, the user is asked to login again.
When the user is asked to login again, the Azure AD B2C web session sso cookies may give SSO if present and valid, as you note. Otherwise the user is asked to reauthenticate. You can force the behavior slightly by passing 'prompt=login' as part of the loginRedirect() method to clear the cookies in this scenario (when refresh token call fails).
You can also reduce the web session SSO liftetime such that the cookie is valid for a shorter period of time, somewhat mitigating how long the user may still have access without reauthenticating after the /revoke endpoint is called.
Be aware, that the refresh token in the SPA PKCE flow is only valid for 24 hours, and reducing the web session SSO lifetime will also effect users who have not had the /revoke endpoint called against them. For example if the user visits another application, they may not get SSO due to the shorter cookie lifetime.
If the revoke endpoint does not revoke session cookies, why does the documentation explicitly say the opposite then? "(as well as session cookies in a user's browser)".
Did you notice that I wrote that we are using Keep Me Signed In? So how does it make sense to lower the lifetime? I explicitly mentioned that we do not want to do that.
Again, I explicitly mentioned that we want to log out clients globally and that in combination with KMSI, so how does it make sense to apply the "prompt=login"? In most cases we do not want to force reauthentication. We only want to do that for compromised accounts on machines that the legitimate user does not have access to.
Even if adding "prompt=login" was a solution, then the malicious user will be able to simply remove that query string parameter to circumvent that.
The only options you have are the ones I have explained, these are all the options for all other readers of this post also. If none of these are viable for you, which they are not in this case, then you will need to raise a feedback request for a new feature. We will adjust the MS Graph docs to reflect correctly.