- last edited on
We have read the document as below https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory/develop/active-dir...
and we found the token revocation policy is so clear : if a user changes their password, then they may have to re-authenticate. BUT we tested again and again, looks like this policy is not work for us: The original access_token and refresh_token can still use without any error. Does it make sense? Or anything we missed?
We tested in this way. Let's see if there are any problems.
04-15-2018 10:59 AM
Last time I played with this, only synced/federated users' tokens were affected by password changes, and by tokens I mean only the refresh tokens. For synced users, password changes didn't invalidate tokens, admin password resets did though. Things might have changed since though.
Are we talking about a custom app or O365 btw?
04-15-2018 06:20 PM
Thank you Vasil
yes, we are talking about a custom app which use Microsoft Graph to access office 365 resource.
by Ares Chen on April 15, 2018
by Alex Weinert on April 21, 2020