Refresh token 400 invalid_grant error after access token has expired, using Web NOT SPA

Alan Hamlett 0 Reputation points
2023-07-12T20:54:49.6866667+00:00

I can get a refresh token with offline access and the refresh token works for a few hours, giving me a new access and refresh token combination. However, after an hour or two the access token expires. The refresh token should still work, but now it gives a 400 invalid_grant error when trying to refresh. And yes, I've selected Web not SPA in my App's redirect uri settings.

Screenshot 2023-07-12 at 9.54.21 PM

Screenshot 2023-07-12 at 9.55.29 PM

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,992 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Alan Hamlett 0 Reputation points
    2023-07-17T20:56:59.2666667+00:00

    Solved: The problem was using commas instead of spaces as separator for the list of scopes when refreshing tokens. Commas are accepted when refreshing for personal Microsoft accounts (MSA) but only spaces are accepted when refreshing for work or school accounts (Entra ID fka Azure AD). Thankfully Microsoft says an improved error message is coming soon.

    Make sure to use spaces not commas when separating your scopes for the Graph API.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.