azure ad refresh-token flow

testuser7 276 Reputation points
2022-05-12T19:12:55.633+00:00

Hello,

I have a BASIC , binary question.

When any client-app (could be web-app, SPA or desktop app) sends a request to AAD with a valid Refresh-token to get new refresh and access token, will such request go through the Conditional Access Policy evaluation (just like any fresh request sent on browser for authorization-code-flow) ??

for eg., would following req. pass through all applicable CA policies ??

POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com

client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=https://abc.com/myscope
&refresh_token=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq...
&grant_type=refresh_token
&client_secret=JqQX2PNo9bpM0uEihUPzyrh

Thanks.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,993 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,491 Reputation points
    2022-05-13T05:46:07.117+00:00

    Hello @testuser7 , yes it will go trough CA evaluation and policy will get applied depending on the sign-in frequency settings. If the refresh token max lifetime has been exceeded a AADSTS70043 error response will be returned.

    For more information about refresh token lifetime take a look to token lifetime policy and token timeouts.

    Let us know if this answer was helpful to you. If so, please remember to accept it so that others in the community with similar questions can more easily find a solution.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.