Refresh tokens expire after 12 hours using Microsoft Entra External ID native authentication with OTP

Question

Refresh tokens expire after 12 hours using Microsoft Entra External ID native authentication with OTP

Niek Bijman 90

Issue

We chose Microsoft Entra External ID for authenticating external consumers using CIAM after reading this article

We're using these Android & iOS clients to signup and signin users with OTP authentication

In the backend we carefully followed the instructions to set up everything needed for the Native Authentication + OTP (one time passcode) user flow documented here.

We've run into an issue with the refresh tokens that we receive when using Native Authentication

Our expectation is that our refresh tokens should be valid for 90 days because we're using native apps which should fall under the 'other scenarios' in the following statement by microsoft documented for Entra ID:

The default lifetime for the refresh tokens is 24 hours for single page apps and 90 days for all other scenarios.

However our refresh tokens expire after 12 hours, which leads to a bad UX in our app due to forced repeated logins

AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2024-09-25T13:42:23.0482303Z and was inactive for 12:00:00.

ianc1 6 Reputation points

2025-09-09T22:40:38.42+00:00

I'm running into a similar issue for mobile apps using email OTP.

Users are being prompted to reauthenticate after 24 hours of inactivity rather than the expected 90 days.

The app registration is configured for IOS and Android platforms (Not SPA).

Users authenticate using Email OTP.

Unlike the original reporter, I'm seeing a 1 day expiry rather than 12 hours.

The mobile app is using MSAL.NET v4.74.0 which is performing PKCE code flow.

Ideally I'd like the expiry to be configurable but I'd be happy with 90 days as per the documentation.

https://learn.microsoft.com/en-us/entra/identity-platform/refresh-tokens

Hopefully I just have something misconfigured as its going to be a show stopper for my mobile app if it isn't.

M``SAL.Xamarin.iOS.4.74.0.0.MsalUiRequiredException: ErrorCode: invalid_grant Microsoft.Identity.Client.MsalUiRequiredException: AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2025-09-08T17:57:57.6557470Z and was inactive for 1.00:00:00. Trace ID: 30f060ac-3549-4fc7-8661-34ed78480200 Correlation ID: 252009f8-1234-4148-9b57-f5ec45fdc55c Timestamp: 2025-09-09 20:44:36Z

Thanks
Dan Rios 2,050 Reputation points MVP

2025-09-10T00:02:42.34+00:00

@IanC

I wish it were a misconfiguration. I have had confirmation from my UK CSA at Microsoft that it is a BUG! The Entra External team need to look into this but it’s already been a while and no fix. It’s a major show stopper for mobile apps, we have had the same issue. The docs suggest it should be 90 days with the ability to silent refresh in MSAL to roll it over for up to one year before forcing login again (providing the user has activity in the app every 90 days). Whereas currently, as you’re also seeing, it expires within 24 hours. So we are stuck, because who is going to use a mobile app that requires you to be active in it every day or you’re logged out!? Unacceptable UX.
ianc1 6 Reputation points

2025-09-10T16:08:21.0366667+00:00

@Dan Rios Thanks for the reply. That's so frustrating, if it wasn't for this issue Extra External Id would have been perfect for my mobile app. But as it stands it's completely unworkable. No one will want to sign in every time they use the app.

I'm going to have to switch to a different identity provider. Does anyone have any low cost recommendations that support email OTP? Firebase?

Frustratingly, I've only recently migrated from Azure B2C which didn't have this issue but I'm not going back to something that has been depreciated :(

Do you know if there is a public bug/work item tracking this issue?
Dan Rios 2,050 Reputation points MVP

2025-09-10T16:11:01.5033333+00:00

Unfortunately I don’t know of any cheap alternatives, mostly because I haven’t looked tbh. I have been trying to reach the External ID product group for a while with this issue. I am not aware of any roadmap or bug fix board we can view publicly. I will keep chasing my side and if I get any news I’ll update you as well!
Alon Catz 0 Reputation points

2025-12-05T14:23:13.3766667+00:00

I ran into the same issue. @Dan Rios , any luck getting the External ID team engaged?
Dan Rios 2,050 Reputation points MVP

2025-12-05T14:48:38.2033333+00:00

@Alon Catz I did manage to get through to them eventually and provided full details including this thread. They said they’d take a look but couldn’t provide a fix timeline. I will chase again soon and update when I get anything
Sam Vanhoutte 10 Reputation points MVP

2026-05-19T08:40:35.5666667+00:00

Is there any github issue that we can make noise on? This is getting crazy and is making our users angry. No one wants to sign in to a mobile app, everyday
Dan Rios 2,050 Reputation points MVP

2026-05-19T08:43:14.81+00:00

@Sam Vanhoutte I have almost given up. The PG didn’t seem too engaged with the issue after I made contact with them. Not aware of any GitHub repo to make noise with. But if you do post here I’ll happily jump onto it with you too.
Sam Vanhoutte 10 Reputation points MVP

2026-05-19T09:02:33.7133333+00:00

@Dan Rios Fyi : I have just sent an MVP alias mail and tagged you

5 answers

Your answer

ianc1 6 Reputation points

2025-09-09T22:40:38.42+00:00

I'm running into a similar issue for mobile apps using email OTP.

Users are being prompted to reauthenticate after 24 hours of inactivity rather than the expected 90 days.

The app registration is configured for IOS and Android platforms (Not SPA).

Users authenticate using Email OTP.

Unlike the original reporter, I'm seeing a 1 day expiry rather than 12 hours.

The mobile app is using MSAL.NET v4.74.0 which is performing PKCE code flow.

Ideally I'd like the expiry to be configurable but I'd be happy with 90 days as per the documentation.

https://learn.microsoft.com/en-us/entra/identity-platform/refresh-tokens

Hopefully I just have something misconfigured as its going to be a show stopper for my mobile app if it isn't.

M``SAL.Xamarin.iOS.4.74.0.0.MsalUiRequiredException: ErrorCode: invalid_grant Microsoft.Identity.Client.MsalUiRequiredException: AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2025-09-08T17:57:57.6557470Z and was inactive for 1.00:00:00. Trace ID: 30f060ac-3549-4fc7-8661-34ed78480200 Correlation ID: 252009f8-1234-4148-9b57-f5ec45fdc55c Timestamp: 2025-09-09 20:44:36Z

Thanks
Dan Rios 2,050 Reputation points MVP

2025-09-10T00:02:42.34+00:00

@IanC

I wish it were a misconfiguration. I have had confirmation from my UK CSA at Microsoft that it is a BUG! The Entra External team need to look into this but it’s already been a while and no fix. It’s a major show stopper for mobile apps, we have had the same issue. The docs suggest it should be 90 days with the ability to silent refresh in MSAL to roll it over for up to one year before forcing login again (providing the user has activity in the app every 90 days). Whereas currently, as you’re also seeing, it expires within 24 hours. So we are stuck, because who is going to use a mobile app that requires you to be active in it every day or you’re logged out!? Unacceptable UX.
ianc1 6 Reputation points

2025-09-10T16:08:21.0366667+00:00

@Dan Rios Thanks for the reply. That's so frustrating, if it wasn't for this issue Extra External Id would have been perfect for my mobile app. But as it stands it's completely unworkable. No one will want to sign in every time they use the app.

I'm going to have to switch to a different identity provider. Does anyone have any low cost recommendations that support email OTP? Firebase?

Frustratingly, I've only recently migrated from Azure B2C which didn't have this issue but I'm not going back to something that has been depreciated :(

Do you know if there is a public bug/work item tracking this issue?
Dan Rios 2,050 Reputation points MVP

2025-09-10T16:11:01.5033333+00:00

Unfortunately I don’t know of any cheap alternatives, mostly because I haven’t looked tbh. I have been trying to reach the External ID product group for a while with this issue. I am not aware of any roadmap or bug fix board we can view publicly. I will keep chasing my side and if I get any news I’ll update you as well!
Alon Catz 0 Reputation points

2025-12-05T14:23:13.3766667+00:00

I ran into the same issue. @Dan Rios , any luck getting the External ID team engaged?
Dan Rios 2,050 Reputation points MVP

2025-12-05T14:48:38.2033333+00:00

@Alon Catz I did manage to get through to them eventually and provided full details including this thread. They said they’d take a look but couldn’t provide a fix timeline. I will chase again soon and update when I get anything
Sam Vanhoutte 10 Reputation points MVP

2026-05-19T08:40:35.5666667+00:00

Is there any github issue that we can make noise on? This is getting crazy and is making our users angry. No one wants to sign in to a mobile app, everyday
Dan Rios 2,050 Reputation points MVP

2026-05-19T08:43:14.81+00:00

@Sam Vanhoutte I have almost given up. The PG didn’t seem too engaged with the issue after I made contact with them. Not aware of any GitHub repo to make noise with. But if you do post here I’ll happily jump onto it with you too.
Sam Vanhoutte 10 Reputation points MVP

2026-05-19T09:02:33.7133333+00:00

@Dan Rios Fyi : I have just sent an MVP alias mail and tagged you

Answer 1

Sasha Mars 16 Microsoft Employee

Thanks for choosing Entra External ID to authenticate external consumers in your CIAM scenario - great to see you leveraging Native Auth with OTP on mobile.

What you’re observing with refresh tokens expiring after ~12 hours when using Native Authentication with OTP on iOS and Android aligns with behavior others have reported in similar scenarios.

If your goal is to improve user experience and reduce frequent reauthentication, the recommended approach is to use Sign-in Frequency via Conditional Access session controls rather than relying on refresh token lifetime.

Sign-in Frequency lets you define how often a user must reauthenticate
It applies to native mobile apps (iOS and Android)
It provides a more predictable and controlled session experience

You can learn more here:

Recommendation (tokens vs. session controls)

A simple way to think about this:

Refresh tokens control how the app silently gets new access tokens in the background
Sign-in Frequency controls when the user is required to sign in again

In Entra External ID (especially with OTP scenarios), refresh token lifetime is not the primary lever for controlling user sessions.

👉 Recommendation: Use Sign-in Frequency as the source of truth for session duration, and treat refresh tokens as an implementation detail managed by the platform.

This approach gives you:

More predictable UX on mobile
Alignment with supported controls in External ID
Flexibility to adjust session duration without depending on token lifetime behavior

In short: use refresh tokens for silent renewal, and use Sign-in Frequency to define the user experience.

Dan Rios 2,050 Reputation points MVP

2026-05-19T14:05:43.45+00:00

Thank you for your engagement here Sasha!
Jesper B 0 Reputation points

2026-05-19T16:03:03.6566667+00:00

Thank you very much for your answer!

I have a SPA site where I use Microsoft Entra External ID together with MSAL. When I use one-time passcode, users have to log in every day with a new one-time passcode. If I use password, they don't have to type the their password again, the next day.

But if I create a policy in Microsoft Entra External ID, where Sign-in frequency is set to 365 days, users created with one-time passcode don't have to log in with a new one-time passcode every day, have I understood correctly?
Sam Vanhoutte 10 Reputation points MVP

2026-05-20T08:25:42.0966667+00:00

Thanks a lot @Sasha Mars for your reply! I verified it and noticed it works.
I have turned it into a step/step blog post, mean while: https://dev.to/samvanhoutte/fixing-aadsts700082-refresh-tokens-expiring-after-12-hours-in-azure-entra-external-id-1mj0
Jesper B 0 Reputation points

2026-05-21T14:48:39.4333333+00:00

My site is a SPA site. I created a policy with a login frequency of 90 days. It still doesn't help. For OTP users I get a refresh token that lasts 24 hours and after the 24 hours I have to enter a new passcode, which is sent by email.
Dan Rios 2,050 Reputation points MVP

2026-05-21T14:51:05.7033333+00:00

@Jesper B the limitation for SIP is it doesn’t work for SPA. The behaviour is still 12 hours. Only works for native apps (mobile eg swift and kotlin) as far as Sasha informed me and Sam.

Answer 2

Krunal Berawala 11

This issue still persist when Android & iOS clients to signup and signin users with OTP authentication.

None of the above solutions are applicable to Entra EXTERNAL ID.

0 comments

Answer 3

It's really bad for my app that my email OTP users have to log in every day. My users are both young and old people. I've switched to username/password instead. But the whole idea of them not having to create a password is now gone and it should be as easy as possible to sign up.

In my frustration, I considered creating an Azure B2C tenant, but you can't do that anymore, Microsoft has closed it down for new creations. They want you to use Microsoft Intra External ID instead.

I've tried setting up a policy for my app without success.

I really hope Microsoft fixes this bug soon. It's been almost a year now and it hasn't been fixed yet!

$policy = New-AzureADPolicy -Definition @('{"AccessTokenLifetime":"23:59:59","RefreshTokenLifetime":"90:00:00:00","RollingRefreshTokenLifetime":"90:00:00:00"}') -DisplayName "WebPolicyScenario" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
 
Get-AzureADPolicy -Id $policy.Id
 
$sp = Get-AzureADServicePrincipal -Filter "DisplayName eq 'XXX'"
Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id

User's image

Answer 4

Martin May 10

I have the same problem - did any of the suggestions mentioned above help?

Niek Bijman 90 Reputation points

2024-10-06T15:53:36.95+00:00

Hey @Martin May ,

No unfortunately no answer that works yet. Check the comments on James's Hamil's answer for a continuation of the discussion.

The reason the proposed suggestions don't apply is because the suggestions are for Azure B2C, whereas I'm looking for an answer for Azure Entra External ID.
Martin May 10 Reputation points

2024-10-06T19:30:18.9633333+00:00

I suspect that this can't be changed for email OTP authentication as the documentation says that the maximum length of the session is 24 hours; it's logical that the lifetime of the refresh token is shortened to 12 hours.
https://learn.microsoft.com/en-us/entra/external-id/one-time-passcode#:~:text=One%2Dtime%20passcodes%20are,no%20longer%20needs%20access.
This seems to be hardcoded for quest accounts with OTP authentication.

I believe only using Entra B2C with email/password authentication can have longer sessions.
Niek Bijman 90 Reputation points

2024-10-07T09:22:24.9333333+00:00
I don't think that documentation applies to Entra External ID native auth with OTP because:

it discusses workforce tenants instead of external tenants

it discusses guest users, whereas the users i see in azure entra external id that signed up with native auth and OTP are members

The closest statement that i've found relating to refresh tokens for the external ID platform is this one: https://learn.microsoft.com/en-us/entra/identity-platform/refresh-tokens#token-lifetime

So i'll take microsoft on their word when they state:

The default lifetime for the refresh tokens is 24 hours for single page apps and 90 days for all other scenarios.
Martin May 10 Reputation points

2024-10-07T12:42:01.9533333+00:00

In the Azure AD B2C tenant, the token lifetime could be configured as part of "user flows" - but it seems to have been removed in Entra External ID.
Anonymous

2024-10-22T21:39:21.7666667+00:00

Hi @Martin May , so sorry for the delay in response. I'm going to open a support ticket to look into this further.

Best,

James
Martin May 10 Reputation points

2024-10-24T09:27:36.88+00:00

Dear @James Hamil , no need for a ticket.
We use Azure B2C so far,

Answer 5

Anonymous

Hi @Niek Bijman , the default lifetime for refresh tokens in Azure AD B2C is 24 hours for single page apps and 90 days for all other scenarios, but there are other settings that can affect the lifetime of refresh tokens, such as refresh_token_lifetime and rolling_refresh_token_lifetime.

Make sure that the refresh_token_lifetime policy setting is set to the default value of 90 days. (Policies > Properties > Token Lifetime Policy) and set the value to 7776000 (90 days in seconds).

Check that the rolling_refresh_token_lifetime policy setting is not set to a value that is less than 12 hours. This setting determines the maximum amount of time that a user can use a refresh token without having to reauthenticate. If this value is set to a value that is less than 12 hours, it could cause the refresh token to expire prematurely.

Also verify that your app is using the correct scopes when requesting access tokens and refresh tokens. Make sure that you are requesting the offline_access scope when you authenticate the user. This is required to obtain a refresh token that can be used to obtain new access tokens without requiring the user to reauthenticate.

Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James

Niek Bijman 90 Reputation points

2024-10-03T08:16:48.8066667+00:00
Hi @James Hamil ,

Your suggestion mentions Azure AD B2C, though I'm looking for a solution for refresh tokens using Entra External ID. As far as I know B2C is a separate offering from Entra External ID, unless setting policies in B2C somehow affects policies in Entra External ID?

In any case if I attempt to do the equivalent of what you suggested in Entra External ID I can only set AccessTokenLifetime. Any refresh token related properties (rolling_refresh_token_lifetime, refresh_token_lifetime) will result in this error response for the tokenPolicy endpoint. If you see mistakes in formatting or syntax in the request please let me know.

Request: POST https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies Authorization: Bearer <accessToken> { "definition": [ "{\"TokenLifetimePolicy\": {\"Version\": 1, \"AccessTokenLifetime\": \"23:59:59\"\"RefreshTokenLifetime\": \"90:00:00:00\",\"RollingRefreshTokenLifetime\": \"90:00:00:00\"}}" ], "displayName": "default-refresh-token-policy", "isOrganizationDefault": true } Response: 400: Bad Request { "error": { "code": "Request_BadRequest", "message": "Property definition has an invalid value.", "details": [ { "code": "InvalidValue", "message": "Property definition has an invalid value.", "target": "definition" } ], "innerError": { "date": "2024-10-03T08:00:16", "request-id": "<uuid>", "client-request-id": "<uuid>" } } }

The inability to set refresh token related values seems to be confirmed by this statement:

As of January 30, 2021 you cannot configure refresh and session token lifetimes

What should i do instead to configure refresh token lifetime longer than 12 hours for Entra External ID?
Anonymous

2024-10-03T18:16:30.5966667+00:00

@Niek Bijman Oops! Sorry about that. Misread your question. For External ID you would have to use Sign-In Frequency control: https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-session-lifetime

Please let me know if you have any questions!
Niek Bijman 90 Reputation points

2024-10-03T18:25:47.36+00:00

Hey James Hamil,

No worries thanks for helping out! Regarding Sign-In Frequency control I run into this issue which is on this thread where I added a comment.

The main issue i reference here

Hi @James Hamil The Session option in Conditional Access policy is disabled in Entra External ID (as @rosskoes05 & @Ryan Buening have mentioned), which prevents us from configuring the Sign-In Frequency in the way you suggested

So basically we can't configure Sign-In Frequency in Entra External ID because the Session option states 'Not Available' (see screenshot). Sign-in Frequency is defined under the session options, so since it's not available we can't change any Sign-In settings
Niek Bijman 90 Reputation points

2024-10-08T09:03:09.34+00:00

Hi @James Hamil , would you be able to help or share it with someone who can help? If the answer is that External ID has 0 options to solve this problem then I can just move on and switch to B2C or other platforms.
Niek Bijman 90 Reputation points

2024-10-10T08:13:14.66+00:00

As a last attempt we tried the browser delegated example to check whether it was the Native Authentication flow that was problematic.

Sample
ms-identity-ciam-browser-delegated-android-sample

However with the browser delegated sample we into the same refresh token limit of 12:00:00

We've decided to switch to Azure B2C to avoid dealing with this problem.
Anonymous

2024-10-22T21:38:36.0066667+00:00

Hi @Niek Bijman , so sorry for the delay in response. Looks like this is a common issue that we may need to file a bug for.

Best,

James
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
David Schneiderbauer 10 Reputation points

2024-12-03T09:24:18.8366667+00:00

I assume nobody has had a look into this issue by now?

Or is there any update the you can share @James Hamil ?
Mathieu Fillion 0 Reputation points

2024-12-05T17:07:37.8+00:00

We also have this issue, we can't use otp with 12hr durations... we're looking at other products in the meantime.
Krunal Berawala 11 Reputation points

2025-05-14T23:27:27.34+00:00

This issue still persist when Android & iOS clients to signup and signin users with OTP authentication.

None of the above solutions are applicable to Entra EXTERNAL ID.
MCAR 5 Reputation points

2025-07-17T02:51:50.88+00:00

Is there still no update on this? This is a massive disappointment and huge waste of my time if this is the case.
Jussi Palo 6 Reputation points

2026-03-03T15:18:40.97+00:00

REMOVED

Share via

Refresh tokens expire after 12 hours using Microsoft Entra External ID native authentication with OTP

Issue

5 answers

Recommendation (tokens vs. session controls)

Your answer