This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 46%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENB%3C/text%3E%3C/svg%3E)
We chose Microsoft Entra External ID for authenticating external consumers using CIAM after reading this article
We're using these Android & iOS clients to signup and signin users with OTP authentication
In the backend we carefully followed the instructions to set up everything needed for the Native Authentication + OTP (one time passcode) user flow documented here.
We've run into an issue with the refresh tokens that we receive when using Native Authentication
Our expectation is that our refresh tokens should be valid for 90 days because we're using native apps which should fall under the 'other scenarios' in the following statement by microsoft documented for Entra ID:
The default lifetime for the refresh tokens is 24 hours for single page apps and 90 days for all other scenarios.
However our refresh tokens expire after 12 hours, which leads to a bad UX in our app due to forced repeated logins
AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2024-09-25T13:42:23.0482303Z and was inactive for 12:00:00.
Hi @Niek Bijman , the default lifetime for refresh tokens in Azure AD B2C is 24 hours for single page apps and 90 days for all other scenarios, but there are other settings that can affect the lifetime of refresh tokens, such as refresh_token_lifetime and rolling_refresh_token_lifetime.
Make sure that the refresh_token_lifetime policy setting is set to the default value of 90 days. (Policies > Properties > Token Lifetime Policy) and set the value to 7776000 (90 days in seconds).
Check that the rolling_refresh_token_lifetime policy setting is not set to a value that is less than 12 hours. This setting determines the maximum amount of time that a user can use a refresh token without having to reauthenticate. If this value is set to a value that is less than 12 hours, it could cause the refresh token to expire prematurely.
Also verify that your app is using the correct scopes when requesting access tokens and refresh tokens. Make sure that you are requesting the offline_access scope when you authenticate the user. This is required to obtain a refresh token that can be used to obtain new access tokens without requiring the user to reauthenticate.
Please let me know if you have any questions and I can help you further.
If this answer helps you please mark "Accept Answer" so other users can reference it.
Thank you,
James
Hi @James Hamil ,
Your suggestion mentions Azure AD B2C, though I'm looking for a solution for refresh tokens using Entra External ID. As far as I know B2C is a separate offering from Entra External ID, unless setting policies in B2C somehow affects policies in Entra External ID?
In any case if I attempt to do the equivalent of what you suggested in Entra External ID I can only set AccessTokenLifetime. Any refresh token related properties (rolling_refresh_token_lifetime, refresh_token_lifetime) will result in this error response for the tokenPolicy endpoint. If you see mistakes in formatting or syntax in the request please let me know.
Request:
POST https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies
Authorization: Bearer <accessToken>
{
"definition": [
"{\"TokenLifetimePolicy\": {\"Version\": 1, \"AccessTokenLifetime\": \"23:59:59\"\"RefreshTokenLifetime\": \"90:00:00:00\",\"RollingRefreshTokenLifetime\": \"90:00:00:00\"}}"
],
"displayName": "default-refresh-token-policy",
"isOrganizationDefault": true
}
Response:
400: Bad Request
{
"error": {
"code": "Request_BadRequest",
"message": "Property definition has an invalid value.",
"details": [
{
"code": "InvalidValue",
"message": "Property definition has an invalid value.",
"target": "definition"
}
],
"innerError": {
"date": "2024-10-03T08:00:16",
"request-id": "<uuid>",
"client-request-id": "<uuid>"
}
}
}
The inability to set refresh token related values seems to be confirmed by this statement:
As of January 30, 2021 you cannot configure refresh and session token lifetimes
What should i do instead to configure refresh token lifetime longer than 12 hours for Entra External ID?
@Niek Bijman Oops! Sorry about that. Misread your question. For External ID you would have to use Sign-In Frequency control: https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-session-lifetime
Please let me know if you have any questions!
Hey James Hamil,
No worries thanks for helping out! Regarding Sign-In Frequency control I run into this issue which is on this thread where I added a comment.
The main issue i reference here
Hi @James Hamil The Session option in Conditional Access policy is disabled in Entra External ID (as @rosskoes05 & @Ryan Buening have mentioned), which prevents us from configuring the Sign-In Frequency in the way you suggested
So basically we can't configure Sign-In Frequency in Entra External ID because the Session option states 'Not Available' (see screenshot). Sign-in Frequency is defined under the session options, so since it's not available we can't change any Sign-In settings
Hi @James Hamil , would you be able to help or share it with someone who can help? If the answer is that External ID has 0 options to solve this problem then I can just move on and switch to B2C or other platforms.
As a last attempt we tried the browser delegated example to check whether it was the Native Authentication flow that was problematic.
Sample
ms-identity-ciam-browser-delegated-android-sample
However with the browser delegated sample we into the same refresh token limit of 12:00:00
We've decided to switch to Azure B2C to avoid dealing with this problem.
Hi @Niek Bijman , so sorry for the delay in response. Can you please send me an email at "azcommunity@microsoft.com" with subject "ATTN: James Hamil" and your subscription ID? I can open a free support ticket for you. Looks like this is a common issue that we may need to file a bug for.
Best,
James
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 42%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
I have the same problem - did any of the suggestions mentioned above help?
Hey @Martin May ,
No unfortunately no answer that works yet. Check the comments on James's Hamil's answer for a continuation of the discussion.
The reason the proposed suggestions don't apply is because the suggestions are for Azure B2C, whereas I'm looking for an answer for Azure Entra External ID.
I suspect that this can't be changed for email OTP authentication as the documentation says that the maximum length of the session is 24 hours; it's logical that the lifetime of the refresh token is shortened to 12 hours.
https://learn.microsoft.com/en-us/entra/external-id/one-time-passcode#:~:text=One%2Dtime%20passcodes%20are,no%20longer%20needs%20access.
This seems to be hardcoded for quest accounts with OTP authentication.
I believe only using Entra B2C with email/password authentication can have longer sessions.
I don't think that documentation applies to Entra External ID native auth with OTP because:
The closest statement that i've found relating to refresh tokens for the external ID platform is this one: https://learn.microsoft.com/en-us/entra/identity-platform/refresh-tokens#token-lifetime
So i'll take microsoft on their word when they state:
The default lifetime for the refresh tokens is 24 hours for single page apps and 90 days for all other scenarios.
In the Azure AD B2C tenant, the token lifetime could be configured as part of "user flows" - but it seems to have been removed in Entra External ID.
Hi @Martin May , so sorry for the delay in response. I'm going to open a support ticket to look into this further.
Best,
James
Dear @James Hamil , no need for a ticket.
We use Azure B2C so far,