Share via

Outlook Mobile keep re auth with MFA

Srinivasan, Ajith 0 Reputation points
2026-02-26T13:00:54.52+00:00

We had an issue with outlook mobile Re auth with MFA. Deep down we saw the error 70043. The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on {issueDate} and the maximum allowed lifetime for this request is {time}. But there is no CA policy is getting applied for the target application as outlook mobile. Then why 70043 as we see in Non interactive logs. Bit breaking my head.

Outlook | Outlook for mobile | Outlook for iOS | For business
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Phoebe-N 10,650 Reputation points Microsoft External Staff Moderator
    2026-02-26T13:58:04.2933333+00:00

    Hello @Srinivasan, Ajith

    Welcome to the Microsoft Q&A Community! 

    Thank you for your report regarding Outlook Mobile users experiencing repeated re‑authentication accompanied by the error code AADSTS70043.  

    Based on Microsoft’s official documentation and the behavior of Microsoft Entra ID token evaluation, this error indicates that a refresh token used by the Outlook mobile client was rejected because it exceeded the allowed Sign‑in Frequency window enforced by Conditional Access (CA).  

    It is important to note that although the error manifests within Outlook for iOS/Android, the enforcement occurs at the resource layer, most commonly Exchange Online, rather than at the Outlook mobile application object. Any Conditional Access policy applying a Session > Sign‑in frequency setting to Exchange Online or All cloud apps affects Outlook mobile’s non‑interactive token refreshes. When the refresh attempt occurs outside the permitted window, the request is denied, resulting in AADSTS70043.

    This behavior follows Microsoft’s documented Conditional Access session‑lifetime controls and Microsoft Entra multifactor authentication prompts and session lifetime - Microsoft Entra ID | Micr…apply to all Microsoft 365 workloads that natively support OAuth 2.0, including Exchange Online, SharePoint Online, and Teams 

    When organizations do not change this control, the Microsoft Entra ID default posture is a rolling 90‑day sign‑in frequency, which defines the maximum uninterrupted access period before requiring new authentication. If your tenant has implemented a shorter interval, either intentionally or inherited from an existing CA policy, refresh requests will be unsuccessful once that period expires. Additionally, Sign‑in Frequency now applies not only to primary authentication but also to multifactor authentication (MFA), meaning users may be prompted to complete MFA as part of the re‑authentication cycle.  

    How to confirm the exact cause in your environment 

    You can identify the specific Conditional Access policy responsible for the enforcement by following these steps: 

    1. In Microsoft Entra admin center, access Monitoring & health > Sign‑in logs > User sign‑ins (non‑interactive) and locate an entry showing AADSTS70043 for the affected user. Verify that the resource is Exchange Online (typically shown as Office 365 Exchange Online).  User's image
    2. Identify the user’s most recent successful interactive sign‑in to the same resource preceding the failure. In that entry, review the Conditional Access tab to see which CA policy or policies applied at the time the session was created, specifically any with Sign‑in Frequency configured. This evaluation identifies the exact policy condition that caused the refresh to be denied.  
    3. If visible, review additional details such as “maximum allowed lifetime” or Conditional Access decision claims (for example, capolids), which confirm Sign‑in Frequency enforcement.  

    Recommended solutions for user accounts 

    1. Adjust Sign‑in Frequency to reduce unnecessary prompts  If users are being prompted more frequently than desired, extend the Sign‑in Frequency interval for Exchange Online or All cloud apps within your Conditional Access policy. A longer period (for example, 14–30 days) may offer a better balance between security and user convenience, while still maintaining meaningful session control. The Microsoft Entra ID default window is 90 days, which can also be used if no stricter controls are needed.  
    2. Standardize Sign‑in Frequency across major Microsoft 365 services  Align your Sign‑in Frequency settings for Exchange Online and SharePoint Online so users experience consistent behavior across Outlook, OneDrive, and Office applications. Aligning these values helps reduce unexpected prompts triggered by accessing different services.  
    3. Eliminate conflicts with legacy authentication settings  If you use Sign‑in Frequency in Conditional Access, avoid enabling “Remember MFA on trusted devices,” which may interfere with predictable re‑authentication behavior. Microsoft explicitly recommends disabling this setting when relying on SIF to ensure consistency.  
    4. *Educate users about expected re‑authentication intervals  Reinforcing awareness that periodic sign‑in prompts are expected under Sign‑in Frequency controls helps reduce support requests, especially following background refresh failures that surface through Outlook mobile. 

    I hope you find this information clear and helpful in resolving the issue. 

    Feel free to correct me if there are any misunderstandings and keep me informed about the progress. 

    If you have extra questions about this answer, please click "Comment".  

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.  

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.