This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 8%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED3%3C/text%3E%3C/svg%3E)
Hello ,
I have been trying to be able to revoke all sessions (or at least be able to revoke all refresh tokens) in Azure B2C. So far I can always renew a tocken with a refresh token even if I ended the session through:
Azure Portal > User > Revoke Session
Microsoft Graph: https://graph.microsoft.com/v1.0/users/aaaaaa-bbbbb-ccccc-ddddd-eeeee/revokeSignInSessions
Powershell: Revoke-AzureADUserAllRefreshToken -ObjectId "aaaaaa-bbbbb-ccccc-ddddd-eeeee"
So I have two questions:
How can an application (with application permissions revoke all Tokens of a B2C User?
How can an administrator (with delegated permissions revoke all Tokens of a B2C User?
Both of these would be important features for security, as Refresh tokens are valid for a long time.
Hi @DisplayName-3010
After calling revokeSignInSessions, there might be a small delay of a few minutes before tokens are revoked.
@CarlZhao-MSFT It still works multiple hours after I executed it. So this is not the reason, I can reproduce it quit easily.
Hi @CarlZhao-MSFT ;
Do you have more information about this. I can reproduce it easily. Refreshing a Token with the refresh token is still possible even if all sessions should have been stopped.