Error AADSTS50173 - The provided grant has expired due to it being revoked

Symptoms

When users try to sign in to an application that uses Microsoft Entra ID authentication, they receive the following error message:

AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '{authTime}' and the TokensValidFrom date (before which tokens are not valid) for this user is '{validDate}'.

Cause

This error occurs if the refresh token that's used for authentication is revoked. This issue occurs if:

• The user changes or resets their password.
• The refresh token expires.
• An administrator revokes the refresh token.

For more information, see:

• Refresh tokens in the Microsoft identity platform
• Revoke user access in Microsoft Entra ID

Resolution

To resolve this issue, follow the applicable steps.

For users

On the application that experiences the issues, try to locate an option to reauthenticate or clear any cached token information. You can also perform these actions by signing out and signing back in to the application (if this step is applicable or available).

For application developers

If the application is using Microsoft Authentication Library (MSAL), follow this guidance to handle errors and exceptions in MSAL.

If the application isn't using MSAL, follow this guidance to handle errors and exceptions in MSAL, and try to implement a similar approach on the application. The goal is to request that the user reauthenticate and obtain a fresh token.

More information

For a full list of authentication and authorization error codes, see Microsoft Entra authentication and authorization error codes.

To investigate individual errors, go to https://login.microsoftonline.com/error.

Contact us for help

If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.