Error 50089 - Flow token expired - Authentication Failed for SSO devices

Question

We have some devices and users setup for Seamless SSO that people need to access a Dynamics site without needing a password, but every couple of days after a reboot it asks to "verify your password because you are accessing sensitive info". In sign-in logs it shows error "Error 50089 - Flow token expired". It works fine a couple a days after entering password but then it asks again.

Users are AD synced and devices hybrid join correctly

Answer 1

Hi @Rasmussen, Johannes

Thank you for posting your query on Microsoft Q&A.

I understand that you have some devices and user's setup for Seamless SSO that people need to access a Dynamics site without needing a password, but you are encountering error in sign-in logs it shows error "Error 50089 - Flow token expired".

It causes when Authentication failed due to flow token expired. Expected - auth codes, refresh tokens, and sessions expire over time or are revoked by the user or an admin. The app will request a new login from the user.

As you setup Seamless SSO, check whether any conditional access policy applied for session control.

Non-persistent session tokens have a Max Inactive Time of 24 hours whereas persistent session tokens have a Max Inactive Time of 90 days. Anytime the SSO session token is used within its validity period, the validity period is extended another 24 hours or 90 days. If the SSO session token isn't used within its Max Inactive Time period, it's considered expired and will no longer be accepted. Any changes to this default period should be changed using Conditional Access. That is why it works fine a couple of days after entering password but then it asks again.

Follow the document for more information: https://learn.microsoft.com/en-us/entra/identity-platform/configurable-token-lifetimes

Hope this helps. Do let us know if you have any further queries.

If this answers your query, do click `Accept Answer` and `Yes`.