2

I saw this answer and update (Revocation endpoint in Azure AD B2C) but I'm not sure how to use this with Azure AD B2C. I've opened up an Azure Cloud Shell and it comes back that the object ID does not exist. I'm running this from my parent Azure directory because I could not open up an Azure Cloud Shell inside my Azure AD B2C directory (it said "No valid subscription found"). Do you have to run this command from within the Azure AD B2C directory? If so how do I link a subscription so that I can do this?

stumpykilo
  • 97
  • 1
  • 1
  • 9

1 Answers1

1

I don't believe you can use Azure Cloud Shell because an Azure AD B2C directory isn't related to an Azure subscription like an Azure AD directory is related to one.

You can use either:

  1. The Revoke-AzureADUserAllRefreshToken cmdlet of the Azure Active Directory PowerShell for Graph module.
  2. The Invalidate all refresh tokens for a user operation of the Azure Active Directory Graph API.
Chris Padgett
  • 14,186
  • 1
  • 15
  • 28
  • Thanks for your suggestion Chris. I tried the 2nd option but get the following result: Authentication_MissingOrMalformed Access Token missing or malformed. 328e1694-bbd2-4970-bbf0-26fc1a2b60fc 2018-05-08T19:24:01 – stumpykilo May 08 '18 at 19:26
  • You must acquire an access token as a Global Administrator user from the Azure AD B2C directory before you invoke the Azure AD Graph API. It is easier for experimentation to interact with the Graph API using [the Azure AD Graph Explorer](https://graphexplorer.azurewebsites.net/). – Chris Padgett May 09 '18 at 01:28
  • Thanks again Chris, the Azure AD Graph Explorer is really nice. I signed in as the global administrator and can access everything fine on my main domain but still cannot get access to the B2C directory. – stumpykilo May 09 '18 at 13:46
  • You must sign in as a global administrator for your Azure AD B2C directory. This administrator must be a user account that is local to this directory. i.e. It can't be a user account from another directory. – Chris Padgett May 09 '18 at 22:29
  • I can try adding another user but the global administrator that I'm signing in as is a member of my main domain and the B2C directory. The user is a Global Administrator in the B2C directory. – stumpykilo May 10 '18 at 14:05
  • I was able to successfully sign in with a new global adminstrator user and see my users using the graph explorer but unfortunately the "invalidateAllRefreshTokens" request came back with this response: { "odata.error": { "code": "Request_BadRequest", "message": { "lang": "en", "value": "Method Not Allowed" } } } – stumpykilo May 10 '18 at 15:38