question

CharlieHorton-0506 avatar image
0 Votes"
CharlieHorton-0506 asked ·

Azure B2C revoke refresh tokens

Hi,

I have recently started using Azure AD B2C for multiple applications within our group. The setup is going well but we have one issue, when a user uses the self-service password reset user flow, they are still able to use existing refresh tokens to generate access tokens and continue to access our applications (without re-authenticating with new password). As well as this, a similar issue is that if an admin was to use the block sign-in toggle within the portal, the user is also still able to use their existing refresh tokens to get new access tokens and continue to access our apps. It seems as if our refresh tokens are not being revoked or invalidated in any way. Any advice is appreciated, thanks very much!

Charlie

azure-active-directoryazure-ad-b2cazure-ad-authentication-protocols
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered ·

Hi @CharlieHorton-0506

This is not a case with just B2C, you will experience the same issue with Azure AD and other identity providers as well and this is expected behavior.

Continuous access evaluation can overcome this issue. Continuous access evaluation is implemented by enabling services (resource providers) to subscribe to critical events in Azure AD so that those events can be evaluated and enforced near real time. The following events will be enforced in this initial CAE rollout:

  • User Account is deleted or disabled

  • Password for a user is changed or reset

  • MFA is enabled for the user

  • Admin explicitly revokes all refresh tokens for a user

  • Elevated user risk detected by Azure AD Identity Protection

Microsoft has been an early participant in the Continuous Access Evaluation Protocol (CAEP) initiative as part of the Shared Signals and Events working group at the OpenID Foundation. Identity providers and relying parties will be able to leverage the security events and signals defined by the working group to reauthorize or terminate access.

Read more: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-continuous-access-evaluation


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 3 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your reply, so is it the case that the default expected behaviour is that there is nothing to stop a blocked user from using their refresh token (granted before the block) to get another access code, and continue to do so until they sign out themselves?

0 Votes 0 ·

@CharlieHorton-0506 Yes, that is correct. The only option is to use admin account and revoke refresh tokens by using PowerShell commands or Graph Calls, which I don't think is a good option in your case as every time a user resets his password or an account is disabled, admin has to revoke the refresh tokens manually.

0 Votes 0 ·

@CharlieHorton-0506 Just checking if you have any further question.

0 Votes 0 ·
alfredorevilla-msft avatar image
2 Votes"
alfredorevilla-msft answered ·

You can use Azure AD Graph to Invalidate all refresh tokens for a user with a call similar to this:

POST https://graph.windows.net/myorganization/users/{user_id}/invalidateAllRefreshTokens?api-version=1.6


Or you can use Azure AD Powershell with a call similar to this:

Revoke-AzureADUserAllRefreshToken -ObjectId "<user_object_id>"



Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I have a SPA with MSAL.js v2 + B2C integrated. For some reason the endpoint you mentioned doesn't work as expected. The user still able to silently refresh access token multiple times even though I manually called invalidateAllRefreshTokens
The user is a local B2C user (not from external/federated AD/FB/Google). Do you have any ideas why is that?

0 Votes 0 ·