Download a code sample for Microsoft Identity Platform from here (https://docs.microsoft.com/en-us/azure/active-directory/develop/sample-v2-code). Used "Angular SPA calls Microsoft Graph using Auth Code Flow w/ PKCE"
Configure Azure AD Premium App registration with Conditional Access Policy "Sign-in frequency" set to 1 hour. Also disable the "Stay Signed In" Prompt in the AD Tenant.
Follow example 1 from here https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime#user-sign-in-frequency-and-device-identities i.e. Leave the website inactive. Do not lock or switch off computer. Go away for more than 1 hour.
Click a link on the webpage or refresh the page.
Expected result: User is asked to sign in again
Actual Result: The Refresh token is used to obtain a new Access token. User is still able to access the application without signing in again. (This can be seen by opening the browser's network tab)