Microsoft Graph Infinite / Long Lived Access Tokens

Question

I've recently been using the Microsoft Graph API to develop a desktop application for OneDrive. I've run into a bit of an issue regarding access token lifetimes. I see in the following document that the max token lifetime is 90 days using a refresh token:

https://learn.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetimes

Is there a way to extend this further so the user doesn't have to be prompted to login again?

Answer 1

Yes. When an access token is requested using the current refresh token a new refresh token is also provided that will again have the 90 day (inactivity) limit. This means as long as the user is frequently using the app they should not be required to login too often. It appears that this can be set so that they never need to login unless the period of inactivity is excessive (90 days).

Answer 2

The point of the 90 day expiry is users re-visit your application at the end of the expiration and you drive them back through the login process:

Get short lived token/ Re-extend

Extending a 90 day without user interaction defeats the entire process. If your user hasn't interacted with your application in 90 days, the application permission should expire.

Add one reference from MS blog,pay attention the word must:

Although the refresh tokens now last longer, access tokens still expire on much shorter time frames. When the access token a client app is using to access a service or server expires, the client must request a new access token by sending the refresh token to Azure AD. As part of that request, Azure AD uses our conditional access system and identity protection system to assure the user and their device are in a secure and compliant state before issuing a new access token.