This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 28.000000000000004%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECH%3C/text%3E%3C/svg%3E)
Hi,
I have recently started using Azure AD B2C for multiple applications within our group. The setup is going well but we have one issue, when a user uses the self-service password reset user flow, they are still able to use existing refresh tokens to generate access tokens and continue to access our applications (without re-authenticating with new password). As well as this, a similar issue is that if an admin was to use the block sign-in toggle within the portal, the user is also still able to use their existing refresh tokens to get new access tokens and continue to access our apps. It seems as if our refresh tokens are not being revoked or invalidated in any way. Any advice is appreciated, thanks very much!
Charlie
This is not a case with just B2C, you will experience the same issue with Azure AD and other identity providers as well and this is expected behavior.
Continuous access evaluation can overcome this issue. Continuous access evaluation is implemented by enabling services (resource providers) to subscribe to critical events in Azure AD so that those events can be evaluated and enforced near real time. The following events will be enforced in this initial CAE rollout:
Microsoft has been an early participant in the Continuous Access Evaluation Protocol (CAEP) initiative as part of the Shared Signals and Events working group at the OpenID Foundation. Identity providers and relying parties will be able to leverage the security events and signals defined by the working group to reauthorize or terminate access.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Thanks for your reply, so is it the case that the default expected behaviour is that there is nothing to stop a blocked user from using their refresh token (granted before the block) to get another access code, and continue to do so until they sign out themselves?
@Charlie Horton Yes, that is correct. The only option is to use admin account and revoke refresh tokens by using PowerShell commands or Graph Calls, which I don't think is a good option in your case as every time a user resets his password or an account is disabled, admin has to revoke the refresh tokens manually.
@Charlie Horton Just checking if you have any further question.
You can use Azure AD Graph to Invalidate all refresh tokens for a user with a call similar to this:
POST https://graph.windows.net/myorganization/users/{user_id}/invalidateAllRefreshTokens?api-version=1.6
Or you can use Azure AD Powershell with a call similar to this:
Revoke-AzureADUserAllRefreshToken -ObjectId "<user_object_id>"
---
Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 56.00000000000001%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVA%3C/text%3E%3C/svg%3E)
I have a SPA with MSAL.js v2 + B2C integrated. For some reason the endpoint you mentioned doesn't work as expected. The user still able to silently refresh access token multiple times even though I manually called invalidateAllRefreshTokens
The user is a local B2C user (not from external/federated AD/FB/Google). Do you have any ideas why is that?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 71%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETN%3C/text%3E%3C/svg%3E)
I got the same issue when integrating my React application with B2C.
I was able to replay multiple times the refresh token request to get the new tokens in two cases:
Not sure if this is an issue from B2C or anything wrong from my configurations?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 35%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Graph API revoke sessions resets Azure AD user attribute signInSessionsValidFromDateTime & refreshTokensValidFromDateTime.
However, it seems that Azure AD B2C does not honor these attributes by default for policy sign in (i.e. user can still sign in if B2C session is alive) and renewing access tokens.
Custom policy must store sign in time in session, and compare it with signInSessionsValidFromDateTime on policy execution - refer sample policy.
The JWT issuer technical profile supports metadata attribute RefreshTokenUserJourneyId to define policy to execute for token refresh. This policy could validate whether refresh token issued date is past the user attribute refreshTokensValidFromDateTime value and reject those requests.
Refer ROPC flow which checks refresh tokens are valid, however not sure whether custom refresh token policy is also honored for Authorization Code flow token refresh as well.