Questions regarding application registrations

lgdev 25 Reputation points


We maintain an application that uses oauth2 flow to access IMAP and POP3 servers for our clients data. Our application has been created, registered almost 2 years ago in the azure dashboard with the relevant data

  • id
  • secrets
  • scopes (offiline IMAP POP SMTP)
  • redirect URIS

Everything works as expected with the oath2 flow (there are some gray areas with the "long lived" refresh token being invalided without warning but since there is a new refresh token on every authorization request we manage that as well internally)

Now we are moving forward to support mail read with pure graph calls and we need to add the relevant graph scopes in our application.

I have seen a warning pop up in the azure dashboard regarding editing scopes and requiring re-authorizing all managed accounts to our applications regarding the new scope. If true this is logistically unmanageable for us.

We don't mind creating new authorizations and new tokens for pure graph support but we cannot afford loosing the old ones in production.

So my first question is how will it work if we ADD a new scope (not remove just add a new scope)?

Alternatively we can create a new application registration with it's own settings and set it up as well. (I have it prepared as a test case locally with success). I see though that for that new application registration secrets have a maximum expiry date to 2 years (instead of around 300 years for the first adopters haha).

My second question is what happens when a secret expires? Right now it's a parameter to our servers infrastructure and we can easily change it but will it invalidate our oauth2 refresh tokens across our client base? That would also be logistically unmanageable for us... (I am inclined to believe that it will not affect them since it doesn't take part in the initial oauth2 authorization request)

To whoever can shed some light, thanks in advance!

Exchange Server Development
Exchange Server Development
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Development: The process of researching, productizing, and refining new or existing technologies.
491 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,551 questions
0 comments No comments
{count} votes

Accepted answer
  1. Shweta Mathur 25,296 Reputation points Microsoft Employee

    Hi @lgdev ,

    Thanks for reaching out.

    So my first question is how will it work if we ADD a new scope (not remove just add a new scope)?

    Regarding your first question, if you add a new scope to your application, it will not affect the existing authorizations and tokens for your clients. Your clients will only need to re-authorize and grant consent for the new scope if they want to use the new functionality that requires the new scope. The existing authorizations and tokens will continue to work as expected for the existing scopes**.**

    My second question is what happens when a secret expires?

    As for your second question, if a secret expires, it will not invalidate the existing OAuth2 refresh tokens across your client base. The expiration of a secret only affects the ability to generate new access tokens using that secret. Existing access tokens and refresh tokens will continue to work until they expire or are revoked. However, it is important to note that if you do need to generate a new secret, you will need to update your application's configuration to use the new secret, and any clients using your application will need to update their configuration as well.

    Hope this will help.



    Please remember to "Accept Answer" if answer helped you.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful