Share via

azure ad refresh-token flow

testuser7 286 Reputation points
2022-05-12T19:12:55.633+00:00

Hello,

I have a BASIC , binary question.

When any client-app (could be web-app, SPA or desktop app) sends a request to AAD with a valid Refresh-token to get new refresh and access token, will such request go through the Conditional Access Policy evaluation (just like any fresh request sent on browser for authorization-code-flow) ??

for eg., would following req. pass through all applicable CA policies ??

POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com

client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=https://abc.com/myscope
&refresh_token=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq...
&grant_type=refresh_token
&client_secret=JqQX2PNo9bpM0uEihUPzyrh

Thanks.

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,551 Reputation points Moderator
    2022-05-13T05:46:07.117+00:00

    Hello @testuser7 , yes it will go trough CA evaluation and policy will get applied depending on the sign-in frequency settings. If the refresh token max lifetime has been exceeded a AADSTS70043 error response will be returned.

    For more information about refresh token lifetime take a look to token lifetime policy and token timeouts.

    Let us know if this answer was helpful to you. If so, please remember to accept it so that others in the community with similar questions can more easily find a solution.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.