![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 89%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETI%3C/text%3E%3C/svg%3E)
Microsoft Teams | Development
Building, integrating, or customizing apps and workflows within Microsoft Teams using developer tools and APIs
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 19%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKN%3C/text%3E%3C/svg%3E)
Hi Tomlin Izie,
Thank you for posting your question in the Microsoft Q&A forum.
To make sure we aim at the right solution for your security and compliance goals, could you share your end objective? For example, are you primarily trying to prevent token exposure, ensure reliable token refresh so calls don’t fail on expiry, or enforce organization‑level controls (admin consent, audit, data boundaries), or a combination of these?
In the meantime, based on your current scenario, here are two immediate advises that you can consider:
1) Grant least‑privilege Microsoft Graph permissions
Keep your access tokens as constrained as possible by only requesting the minimal scopes needed for each operation. This reduces blast radius if a token is ever intercepted and helps pass tenant security reviews.
2) Enable and handle Continuous Access Evaluation (CAE)
Adopting CAE improves both security and resilience:
- Security: CAE allows access tokens to be revoked in near‑real time when risk or policy changes (e.g., user disabled, risky sign‑in, Conditional Access updates), rather than waiting for a fixed token lifetime.
- Resilience: When your app declares itself CAE‑ready and handles claims challenges, the platform can issue longer‑lived, proactively refreshed tokens (often up to 28 hours) via MSAL, which mitigates failures due to token expiry.
- Implementation tip: On a
401with aWWW‑Authenticateheader containing aclaimsvalue, re‑acquire the token (silent first, then interactive if required) including that claims payload. More details and sample code across languages are provided here: https://learn.microsoft.com/en-us/entra/identity-platform/app-resilience-continuous-access-evaluation?tabs=dotnet
If you can share more detail on your end goal, I’ll tailor the next steps and examples precisely to your scenario.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 85%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENM%3C/text%3E%3C/svg%3E)