Menu
It seems like a removed user account in Azure AD B2C is being resurrected (or recreated) when an application is requesting a new token (refresh token). In our case a mobile app requesting tokens.
When user accounts have been deleted, users with the same email address are suddenly visible with the name "unknown" but the same email addresss.
The Audit Log seems to start with a id_token request for users that have activity the last 7 days.
Isn't this strange if my assumption is correct? A removed user should never be able to refresh a token since the whole point of refresh tokens is that you can't refresh it if you no longer have access.
List of "unknown" users:
Audit Log for example user:
598
The refresh token is used to obtain new access/refresh token pairs when the current access token expires. Refresh tokens are also used to acquire extra access tokens for other resources. Refresh tokens are bound to a combination of user and client, but aren't tied to a resource or tenant.
The default lifetime of the token is 1 hour.
UserStrongAuthClientAuthNRequiredInterrupt - Strong authentication is required and the user did not pass the MFA challenge.
I have nailed down this issue with help from Microsoft support. It seems to be a user issue (not an Azure AD issue which is good) due to policies not enforcing users to set a DisplayName when registering.
Note to self: Users saying they haven't registered doesn't always mean they haven't.
69
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
