Why API tokens expire for my app and how verification plays into that?
Hi everyone! I need a bit of your help. I'm an Individual Developer registered with Partner Center. I have a productivity and calendar application in the Microsoft Store. Since it's a calendar application, one can connect their Outlook/Office 365 calendar and see their personal/work events in the app. On the app registration side in Azure AD, the app is a public client, not a SPA. The documentation clearly differentiates between auth flows for SPAs and desktop apps. The app correctly fetches tokens and refreshes them using refresh tokens using the flow for Mobile and Native Apps (including switching to new refresh tokens returned on each token refresh). The documentation clearly states 24h refresh token validity for SPAs and 90d for public clients, with no exceptions or ifs mentioned. However, many users report having to log in to authorize the integration every day, which is annoying. Not everyone, though – it seems different for people in different organizations. My Azure AD app registration is "unverified", which users see in the authorization window when they authorize the integration or request admin consent. I assume that as an individual developer, I cannot get the app verified – I don't have a Partner ID, which I can't get because I'm not a company. That's okay. The question is: What affects how long refresh tokens are valid in this specific case? Clearly, it's not 90 days for people. Does the "unverified" app status shorten refresh token validity? Is it because of some per-organization policy regarding "unverified" apps, or is it some security machine learning thing doing this in the background? I want to understand the problem. If there's nothing I can do about it, that's okay. At least I'll know what to say to people when they reach out to my support as I'm only guessing currently. Thanks for any help here.