Do I need to include offline_access (scope) when requesting an access token in order to receive a refresh token?

Marco vanW 156 Reputation points
2025-01-08T08:53:56.71+00:00

Hi

I am just not 100% whether or not I would need to define scope so that it included "offline_access" when I request an access token (from [...]oauth2/v2.0/token), provided that I have already authorized and granted consent for that scope initially (via [...]oauth2/v2.0/authorize).

So would I define my scope as "https://graph.microsoft.com/Mail.Send offline_access" or can I drop "offline_access" and would still receive a refresh token?

Thanks!

Microsoft Security | Microsoft Graph
0 comments No comments
{count} votes

Accepted answer
  1. CarlZhao-MSFT 46,376 Reputation points
    2025-01-08T09:46:40.29+00:00

    Hi @Marco vanW

    The "offline_access" permission is necessary. You must include this permission in the scope to receive a refresh token.

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.