Hero Banner

Secure Application Model

Learn and ask questions on how to implement secure application model

Reply
Level 3 Contributor

Refresh token lifetime, error AADSTS50076

Hi, I've switched our production to the new model and I'm therefore using refresh tokens.

 

However, in less than 24h, I usually start getting AADSTS50076 on all of my calls. The error message states:

Spoiler
Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access 'SampleBECApp'

Contrary to the error message, I've got this error without moving nor doing anything on the tenant configuration. Since this is now in production, I really need to know what's causing this "change" detection on Microsoft side.

 

Here are the Ids of a request that failed after ~3h of lifetime of a refresh token (with no actions on my side in between):

Trace ID: 558dc046-59d0-44c4-8fde-214edfc55500

Correlation ID: b7e8f17a-cd0b-48d0-a339-20f2a0d69de5

Timestamp: 2019-02-11 08:21:10

33 REPLIES 33
Level 3 Contributor

Thank you very much for coming back here to update!

 

I will wait until my current token expires, untick the box, and generate a token.

I'll update here on how this goes 🙂

Microsoft

Yes, when subsequently using the new refresh token this should be prevented. It will expire after 90 days regardless on what you configure, so that would not be a solution.

You can also open a support request if you are sure you have done it the right way or contact askpts@microsoft.com to raise an advisory request if you are unsure if you used the right method.

Level 3 Contributor

Hi,

Step 1, 2 and 3 is precisely what we do. Here's what we use these steps.

And yes, we do use 2FA as it's going to be a requirement (and should already be without the postpone)

1)

$credential = Get-Credential # appId & appSecret
$token = New-PartnerAccessToken -Consent -Credential $credential -Resource https://api.partnercenter.microsoft.com -ServicePrincipal

# We then store $token.refreshToken

2)

// Truncated code, might miss some lines, it's just to give an idea
private const string loginUrl = "https://login.microsoftonline.com/<our tenant id>/oauth2/token/"; private const string PC_API = "https://api.partnercenter.microsoft.com"; WebRequest request = WebRequest.Create(loginUrl); request.Method = "POST"; request.ContentType = "application/x-www-form-urlencoded"; string content = string.Format( "resource={0}&client_id={1}&client_secret={2}&grant_type=refresh_token&refresh_token={3}&scope=openid", HttpUtility.UrlEncode(PC_API), HttpUtility.UrlEncode(applicationId), HttpUtility.UrlEncode(applicationSecret), HttpUtility.UrlEncode(refreshToken));

using (StreamWriter writer = new StreamWriter(request.GetRequestStream()))
{
writer.Write(content);
}

WebResponse response = request.GetResponse();
// Extract access token from respons

3) Use the extracted access token to call the PC API with the C# SDK

 

I didn't try your solution yet, however as far as I understand it'll simply validate that the token was acquired with a 2nd factor, which is something I could already verify by looking at the JWT claims: "mfa" is there. If there's another reason to try it, please tell me so. Also, is there a way to do that in the partner center SDK?

 

Level 1 Contributor

Was this ever resolved? We seem to have the same scenario with refresh token no longer working after 24 hours.

Level 2 Contributor

Just so that I understand fully... You get refresh token via user who has got MFA enabled right? Then it will allow you to get access tokens for the first 23 hours but breaks with the MFA-like error message?

I have only seen the error message when I got my refresh token with MFA disabled account but then it never works for MFA enabled Azure ADs...

Level 1 Contributor

Correct. We recently enabled MFA on our service accounts for our applications which call Microsoft APIs. We use the refresh token to get access tokens. Everything works fine for about a day, then generates unauthorized access tokens. Manually establishing a new refresh token resolves this issue for another day. We have multiple tenants with Microsoft. However, this only occurs on our US tenant.

Level 3 Contributor

Hi @msallmen , no, this is yet to be solved, despite that discussion being open for quite some time now! And Indeed, we have MFA enabled.

@idwilliams, Being tired of login with MFA every day, we decided to drop MFA to ease the task. However it seems that now the token survives for more than one day (4th or 5th day today). It therefore seem to be an issue with MFA, and I might not be alone according to other posts here. Can you please bring up this issue so we can reenable MFA safely when the day will come?

Level 1 Contributor

After the refresh token failed to give us valid access tokens every 24 hours for three days, we found this highlighted checkbox.

Uncheck remember multi-factor authentication under the service settings.Uncheck remember multi-factor authentication under the service settings.

We unchecked the highlighted checkbox and generated a new refresh token, and we are past 48 hours of that refresh token working for us. I really thought this would only apply to users logging into the portal; strangely, it seems to have resolved our issue. I'd be interested to know if anyone else has seen this behavior.

Level 2 Contributor

@msallmen Could you share where you found that screen that has the refresh token expiry days? I'm not able to find it


@msallmen wrote:

After the refresh token failed to give us valid access tokens every 24 hours for three days, we found this highlighted checkbox.

Uncheck remember multi-factor authentication under the service settings.Uncheck remember multi-factor authentication under the service settings.

We unchecked the highlighted checkbox and generated a new refresh token, and we are past 48 hours of that refresh token working for us. I really thought this would only apply to users logging into the portal; strangely, it seems to have resolved our issue. I'd be interested to know if anyone else has seen this behavior.


 

Level 1 Contributor

In Azure AD, look at your list of users and find this button.

mfa button.png

 

On the next screen, click the service settings link.

service settings button.png

It doesn't even look like a button or link. I had some trouble finding it again myself just now!

Level 1 Contributor
Level 3 Contributor

Yeah I think we are seeing the same thing. We have set this to 14 days and since I have issued refresh token I had to change it twice as it stopped working.
Level 3 Contributor

@idwilliamsCan we get information if this is bug in Azure AD?