Is it possible to get a refresh token for Azure Resource Manager API with the client credentials flow?

Question

I have a long running ADF pipeline that uses a token for management.azure.com to query data from the ADF API. Is it possible to get a refresh token which should have a much longer life than the +-1 hour life of the normal access token? I've seen with other scopes you can use offline_access to get the refresh token but this doesn't seem valid for management.azure.com. Currently I'm doing a post to https://login.microsoftonline.com/{TenantId}/oauth2/v2.0/token with the following request body and successfully getting back an access token.

grant_type=client_credentials

client_id=XXXXX

client_secret=XXXXX

scope=https://management.azure.com/.default

Answer 1

Note that: It is not possible to generate refresh token for client credential flow as there is no user interaction involved. Refer this blog by Shoaib Alam.

Instead, you can try to increase the access token lifetime by using the below Microsoft Graph API query:

POST https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies
Content-type: application/json

{
    "definition": [
        "{\"TokenLifetimePolicy\":{\"Version\":1,\"AccessTokenLifetime\":\"23:59:59\"}}"
    ],
    "displayName": "Contoso token lifetime policy",
    "isOrganizationDefault": true
}

The access token now is valid for 24 hours:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
client_secret:ClientSecret
grant_type:client_credentials
scope:https://management.azure.com/.default

• You can also assign the policy to a Microsoft Entra application. Refer this MsDoc
• The access token lifetime policy can be set to minimum 5 minutes to maximum is 1,440 minutes (24 hours).

References:

Set lifetimes for tokens using PowerShell - Microsoft identity platform | Microsoft

Create tokenLifetimePolicy - Microsoft Graph v1.0 | Microsoft