Hero Banner

Secure Application Model

Learn and ask questions on how to implement secure application model

Reply
Highlighted
Level 3 Contributor

Re: Refresh token lifetime, error AADSTS50076

Thank you @idwilliamsfor the answers.

I might have been unclear on the first one, so I'll rephrase it as that's my only question left (finally!).

 

What I meant to ask was: is the refresh token issued by the access token request "fresher"? Meaning that if at each access request I replace my refresh token with the new one for next requests, will I ever be asked again to do the 2nd factor?

 

Scenario:

  - set the maximum age to 1 days

  - do a call on day 1, receive a new refresh token along the access token

  - on day 2, use the new refresh token to make a new call <= Will that work, or will the 2nd factor have expired?

 

That would be a really the best scenario for us!

Highlighted
Level 3 Contributor

Re: Refresh token lifetime, error AADSTS50076

Hi,

 

Still looking for the answer to that question!

Please help me move on to something else 😞

Highlighted
Microsoft

Re: Refresh token lifetime, error AADSTS50076

Yes, the new refresh token will also have a new lifetime. So if you repeat the process before the refresh token expires, there is no need to do MFA again.

Highlighted
Visitor 1

Re: Refresh token lifetime, error AADSTS50076

Apoligies to hijack/ressurect this forum post. However, we're seeing the same issues and I'm really struggling with the documentation provided to get this to work properly.

 

I was generating an access/refresh token with the following powershell commands. However, it's not prompting for MFA, not does decoding the access token state MFA is being used:

 

$credential = Get-Credential

# $partnerToken = New-PartnerAccessToken -Scopes 'https://management.azure.com/user_impersonation' -ServicePrincipal -Credential $credential -ApplicationId $appID -Tenant $tenantID -UseAuthorizationCode

Is this an issue with the way we are retrieving the access token, or MFA settings on the account being used?

Microsoft

Re: Refresh token lifetime, error AADSTS50076

If 

$credential = Get-Credential

 does not trigger MFA, it is something about the account's MFA settings.

Maybe some ip-/network exclusions? MFA state only set to enabled instead of enforced? Conditional Access exclusions? End-user protection baseline policies or AAD security defaults used and user does not have admin roles (since those wil only trigger mFA when risky sign-in is detected)?

You can check AzureAD sign-in logs what happened during authentication.

Highlighted
Level 3 Contributor

Re: Refresh token lifetime, error AADSTS50076

Hi,

 

We implemented the refresh refresh-token mechanism 2 weeks ago, and we still received the expired token issue.

 

Are you positive that using the refresh-token received along with the access token should prevent this?

In that case it means we have an issue with the way we did it and I'll run more controlled tests on my side.

 

Might it be because it is set to expire in 60 days? Meaning that we simply need to untick the expiration box entirely?

Highlighted
Microsoft

Re: Refresh token lifetime, error AADSTS50076

Yes, when subsequently using the new refresh token this should be prevented. It will expire after 90 days regardless on what you configure, so that would not be a solution.

You can also open a support request if you are sure you have done it the right way or contact askpts@microsoft.com to raise an advisory request if you are unsure if you used the right method.