There are instances where a user logs off/out but the access token associated with the user on the client does not expire (based on the access token lifetime). This can lead to situations where resource servers or APIs can continue to be invoked with these tokens and the request is serviced/honoured.
An introspection endpoint (per the ITEF specification in RFC 7662 https://tools.ietf.org/html/rfc7662) checks the validity of tokens. When will Microsoft establish an introspection endpoint with Azure Active Directory to check the validity of the token?
At present many customers are creating a bespoke solutions within their environments to perform this function blacklist tokens.