Apr 15 2018
- last edited on
Jul 24 2020
We have read the document as below https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory/develop/active-dir...
and we found the token revocation policy is so clear : if a user changes their password, then they may have to re-authenticate. BUT we tested again and again, looks like this policy is not work for us: The original access_token and refresh_token can still use without any error. Does it make sense? Or anything we missed?
We tested in this way. Let's see if there are any problems.
Apr 15 2018 10:59 AM
Last time I played with this, only synced/federated users' tokens were affected by password changes, and by tokens I mean only the refresh tokens. For synced users, password changes didn't invalidate tokens, admin password resets did though. Things might have changed since though.
Are we talking about a custom app or O365 btw?
Apr 15 2018 06:20 PM
Thank you Vasil
yes, we are talking about a custom app which use Microsoft Graph to access office 365 resource.