Azure AD refresh token lifespan

Anonymous
2021-11-24T16:50:30.347+00:00

Hi,

we are using refresh token issued by Azure AD to obtain access token (used for Graph API).
We know that since January 2021 it is not possible to configure token lifespan and that default values are applied.

In case of refresh token, maximum lifespan is 90 days (as long as it is in active state).
In order to keep it active it has to be used within 14 days.

Let's consider this case:

  1. we have obtained refresh-token-a on January 1st 2022.
  2. we use refresh-token-a to obtain access-token-a on January 2nd 2022.
  3. in the very same response we've got new refresh-token-b (using offline_access scope)
  4. refresh-token-a is still valid and can be further used to obtain access tokens (tested)

Given the fact that we keep refresh-token-a active (use it within timeframe of 14 days):

a. Does refresh-token-a expire after 90 days from the moment it is issued (April 1st 2022.)?
b. Does refresh-token-b expire after 90 days from the moment it is issued (April 2nd 2022.) or it expires together with refresh-token-a (April 1st 2022.)?
In other words, can you constantly renew the refresh token (and use new refresh token in further requests) or all refresh tokens expire 90 days after the initial refresh token was issued?

There are contradictory information on this subject so any official answer would be much appreciated.

Thank you.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,567 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,446 questions