Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,068 questions
User provisioning fails because of expired access token
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 64%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Spasova, Monika
20
Reputation points
We have a SCIM application. When we open the Provisioning tab of our application, in the section Admin Credentials we have set:
Authentication method: OAuth2 Authtorization Code Grant
Authorization endpoint: https://login-testmain.docuware.cloud/xxxxxxxxxx/connect/authorize?response_type=code&client_id=yyyyyyyyyyyyy&scope=docuware.platform offline_access&redirect_uri=https%3A%2F%2Fportal.azure.com%2FTokenAuthorize
client id and secret and the rest of the data visible on the screenshot.
Although we have set the scope offline_access in authorization endpoint, when we try to provision a user after about an hour after authorizing with our application with this button "Authorize" (our token expiration time is 60 minutes), it fails because of the error on the screenshot 2. There isn't anything more verbose in the audit and provisioning logs. My colleague noticed that after about an hour we see the same quarantine message (screenshot 3) in Overview of the app so it informs us that the something happens with the service even before we try to provision a user. We assume that the error is caused because there is a problem getting a new authorization token. We are sure that https://login-testmain.docuware.cloud returns a refresh_token, when the scope offline_access is set in the request and it seems that Microsoft Entra does not have a mechanism to use the refresh token in order to get a new access token.
After clicking "Authorize" and when a new access token is taken we can again use the app for 60 minutes.
How could we fix the issue with the automatic getting of new authorization token after its expiration?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Raja Pothuraju 7,675 Reputation points Microsoft Vendor2024-10-03T23:54:31.0066667+00:00 Hello @Spasova, Monika,
Thank you for posting your query on Microsoft Q&A.
Based on your description, I understand that you are working with a SCIM application using the OAuth2 Authorization Code Grant flow to obtain an access token, and you were able to retrieve it successfully. However, the issue arises after an hour when the initial access token is revoked, causing the provisioning process to fail and a quarantine message to appear in the app’s Overview.
You mentioned that you are passing the offline_access scope in your authorization request, but the application is still not generating a new access token after an hour.
For troubleshooting, I recommend checking Fiddler or Network trace logs to confirm whether a refresh token is being returned by the application. The application needs to send a request to the token endpoint to refresh the access token using the refresh token obtained during the initial authorization, by using the grant_type=refresh_token parameter.
Thanks,
Raja Pothuraju. -
Raja Pothuraju 7,675 Reputation points Microsoft Vendor
2024-10-07T23:43:22.74+00:00 Hello @Spasova, Monika,
Following up to check if the issue still persists.
-
Spasova, Monika 20 Reputation points
2024-10-08T06:20:06.2766667+00:00 As I said in the initial post we are sure that https://login-testmain.docuware.cloud returns a refresh_token, when we have set the scope offline_access in the Authorization URL and it seems that Microsoft Entra does not have a mechanism to use the refresh token in order to get a new access token from the token endpoint.
-
Spasova, Monika 20 Reputation points
2024-10-08T06:22:25.35+00:00 We are sure that the authorization endpoint sends a refresh token as I have described in the initial question.
-
Raja Pothuraju 7,675 Reputation points Microsoft Vendor
2024-10-10T23:30:31.28+00:00 Hello @Spasova, Monika,
Thank you for your response.
Yes, it looks like the app does not support the use of the refresh token. If you have a support plan, could you please file a support ticket for deeper investigation and do share the SR# with us? In case if you don't have a support plan, please let us know here.
-
Spasova, Monika 20 Reputation points
2024-10-14T04:49:14.4+00:00 I am not sure whether our organization has a support plan or not. Could you please create a SR yourself. Thank you.
-
Raja Pothuraju 7,675 Reputation points Microsoft Vendor
2024-10-14T20:20:11.81+00:00 Hello @Spasova, Monika,
It's not possible for me to raise a ticket from my end on behalf of you. But I can help you to enable one free support ticket on your subscription. Please send me an email to 'AzCommunity@microsoft.com' with Sub - Attn: Pothurajur and following details in the email body: Link to this thread/post and share the subscription ID.
Thanks,
Raja Pothuraju.
Sign in to comment
Sign in to answer