We use Microsoft B2B Active Directory for a single page application we developed.
We would like to revoke the refresh token of a user when a user logs out.
To revoke the refresh token when a user logs out we found the following information.
https://docs.microsoft.com/en-us/graph/api/user-revokesigninsessions?view=graph-rest-1.0&tabs=http
Our plan was to call the ‘Revoke Sign In Sessions’ Microsoft graph method when the user logs out. When we perform the call we see that the ‘refreshTokensValidFromDateTime’ in the user’s profile is changed.
However, when we request a new access token with an old refresh token we still get a reply with a new access token. We expected the call to fail because the refresh token is revoked.
Why is the old refresh token still valid after the ‘Revoke Sign In Sessions’ call.
We saw that if you are using the B2C active directory you can create custom policies, but we couldn’t find anything anything else for the B2B Active directory.
We use the Authorization Code Flow to get an access and refresh token from https://login.microsoftonline.com/[tenantId]/oauth2/v2.0/token.
We then expect the call to the same URL to fail if the refresh token is revoked.
Thank you in advance.









