Microsoft Azure Refresh Token Expires after 90 days

Question

For a given user account on a customer's tenant, we followed the Microsoft Azure on-behalf-of procedure to grant Microsoft Graph permissions, including the offline_access scope, to our Web Application. We were then provided an access token and a refresh token. The user gave permission only once.

Everything went smoothly from then, for several months, then out of the blue we received an alert that the refresh token had expired after the 90-day inactivity period. Note that the refresh token was used within this window and for longer than 90 days.

Do you know why this happened? Is there a way to make a refresh token never expire, and if so, is that set on our side (Azure application) or on the customer's side?

What I do not understand is that we are theoretically in the "Token lifetime with confidential client refresh tokens" scenario described here (though I don't know how to check whether we are considered as a confidential client or not)

Note that unlike in this question, I have made sure that the refresh token is replaced with the new refresh token when making calls to https://login.microsoftonline.com/common/oauth2/v2.0/token

Answer 1

the default lifetimes of refresh tokens issued to these flows is until-revoked, cannot be changed by using policy, and will not be revoked on voluntary password resets.

While refresh tokens are often long-lived, the authorization server can invalidate them. Some of the reasons a refresh token may no longer be valid include:

1.The authorization server has revoked the refresh token
2.The user has revoked their consent for authorization
3.The refresh token has expired(max inactive time is 90 days)
4.The authentication policy for the resource has changed (e.g., originally the resource only used usernames and passwords, but now it requires MFA)