I am creating a user in AD B2C local account and able to generate the user id token for the created user with https://login.microsoftonline.com/{{My_Domain_Name}}.onmicrosoft.com/oauth2/token/ and I am using this token to Get the User profile https://graph.windows.net/{{My_Domain_Name}}.onmicrosoft.com/users/{{USER_ID}}?api-version=1.6. Now if I change the user's password and keep the old user id token I am still able to access the user profile , is there a way to restrict the Get User with the old token ?
Move comments to answers for more people's reference.
Firstly, you are using access token to access the user profile. Access token cannot be revoked. But you could revoke the refresh token, then user will lose access to AAD when the old access token expires. The default expiration is 1 hour.
See reference here.
So you cannot restrict the Get User with the old token immediately, after you took the above steps:
For applications using access tokens, the user loses access when the access token expires.