I have recently started using Azure AD B2C for multiple applications within our group. The setup is going well but we have one issue, when a user uses the self-service password reset user flow, they are still able to use existing refresh tokens to generate access tokens and continue to access our applications (without re-authenticating with new password). As well as this, a similar issue is that if an admin was to use the block sign-in toggle within the portal, the user is also still able to use their existing refresh tokens to get new access tokens and continue to access our apps. It seems as if our refresh tokens are not being revoked or invalidated in any way. Any advice is appreciated, thanks very much!