Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
luckycharms
Level 2 Contributor

MFA with refresh tokens seems to have expired and is no longer working

Hello,


We had setup our account for the MFA & Secure Model requirements and have been using refresh tokens to manage our users. We have been refreshing and using new refresh tokens daily.

 

We haven't made any changes to our systems and now it is failing with the following error:

{"error":"interaction_required","error_description":"AADSTS50078: Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access 'fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd'.\r\nTrace ID: 89271af4-602a-4090-a441-7b2df3f32a00\r\nCorrelation ID: 590e321b-7df9-41ad-a04e-fe7fc61cb000\r\nTimestamp: 2020-01-20 14:46:51Z","error_codes":[50078],"timestamp":"2020-01-20 14:46:51Z","trace_id":"89271af4-602a-4090-a441-7b2df3f32a00","correlation_id":"590e321b-7df9-41ad-a04e-fe7fc61cb000","suberror":"basic_action"}

It appears as though it has expired but I'm not sure how that could be the case as we refresh daily. Could anyone provide insight into this?

 

Thanks!
Corey

3 REPLIES 3
Andra
Community Manager

Hi @luckycharms ,

 

Thank you for sharing this matter with the community.

I noticed there is a similar thread you might want to check, although this is a slightly different error: https://www.microsoftpartnercommunity.com/t5/Secure-Application-Model/Refresh-token-lifetime-error-AADSTS50076/td-p/8204.

 

If this does not help, do let us know to further advise.

 

Kind regards,

Andra

crodriguez
Visitor 1

We are having the same error New-PartnerAccessToken : AADSTS50078: Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access

 

This happens to some of our tenants. The other thread that you linked does not seem to provide an answer

JanoschUlmer
Microsoft

@crodriguez :

Can you please check to turn the setting of "Remember MFA for x Days" off?

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#how-the-feature-works

"When a refresh token is validated, Azure AD checks that the last two-step verification occurred within the specified number of days."

(or test the opposite by setting it to one day lifetime and check if again your tokens are invalid after this timeframe -. then you can be sure it is this setting).

 

This feature can actually force that interactive MFA in requested again after the specified days and thus your current tokens will be invalid. It would be great if you could update the thread on the result

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices