I have been trying to be able to revoke all sessions (or at least be able to revoke all refresh tokens) in Azure B2C. So far I can always renew a tocken with a refresh token even if I ended the session through:
Azure Portal > User > Revoke Session
Microsoft Graph: https://graph.microsoft.com/v1.0/users/aaaaaa-bbbbb-ccccc-ddddd-eeeee/revokeSignInSessions
Powershell: Revoke-AzureADUserAllRefreshToken -ObjectId "aaaaaa-bbbbb-ccccc-ddddd-eeeee"
So I have two questions:
How can an application (with application permissions revoke all Tokens of a B2C User?
How can an administrator (with delegated permissions revoke all Tokens of a B2C User?
Both of these would be important features for security, as Refresh tokens are valid for a long time.