For how long are AAD-issued tokens valid? I have mentioned this in scattered posts, but this AM Danny reminded me of how frequent this Q really is – and as such, it deserves its own entry.

As of today, the rules are pretty simple:

  • Access tokens last 1 hour
  • Refresh tokens last for 14 days, but
    • If you use a refresh token within those 14 days, you will receive a new one with a new validity window shifted forward of another 14 days. You can repeat this trick for up to 90 days of total validity, then you’ll have to reauthenticate
    • Refresh tokens can be invalidated at ANY time, for reasons independent from your app (e.g. user changes password). Hence you should NOT take a dependency on the above in your code – your logic should always assume that the refresh token can fail at any time
    • Refresh tokens issues for guest MSA accounts last only 12 hours

That’s it, short and sweet Smile


Leave a Reply

Your email address will not be published. Required fields are marked *