Thank you for posting this in Microsoft Q&A.
I understand that you are asking how to extend the lifetime of a refresh token so that you can use it in a background job to send phishing emails to users for an extended period of time without requiring the Org Admin to provide consent on a regular basis.
By default, the access token lifetime is 60 minutes, and refresh tokens have a longer lifetime than access tokens. The default lifetime for refresh tokens is 24 hours for single page apps and 90 days for all other scenarios.
As of January 30, 2021, you cannot configure refresh and session token lifetimes. Unfortunately, you cannot extend the period of a refresh token to 6 to 12 months. Refresh tokens replace themselves with a fresh token upon every use, but they can be revoked at any time due to timeouts, revocations, or other reasons. Therefore, in order to handle this, your application must be prepared to rerun the authorization code flow using an interactive authentication to get a new refresh token.
For your reference: https://learn.microsoft.com/en-us/entra/identity-platform/refresh-tokens
You can configure sign-in frequency in Conditional Access to define the time periods before a user is required to sign in again. For more information, see Configuring authentication session management with Conditional Access.
Hope this helps. Do let us know if you any further queries.
Thanks,
Navya.
If this answers your query, do click Accept Answer
and Yes
for was this answer helpful. And, if you have any further query do let us know.