This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 46%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENB%3C/text%3E%3C/svg%3E)
We chose Microsoft Entra External ID for authenticating external consumers using CIAM after reading this article
We're using these Android & iOS clients to signup and signin users with OTP authentication
In the backend we carefully followed the instructions to set up everything needed for the Native Authentication + OTP (one time passcode) user flow documented here.
We've run into an issue with the refresh tokens that we receive when using Native Authentication
Our expectation is that our refresh tokens should be valid for 90 days because we're using native apps which should fall under the 'other scenarios' in the following statement by microsoft documented for Entra ID:
The default lifetime for the refresh tokens is 24 hours for single page apps and 90 days for all other scenarios.
However our refresh tokens expire after 12 hours, which leads to a bad UX in our app due to forced repeated logins
AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2024-09-25T13:42:23.0482303Z and was inactive for 12:00:00.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 71%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI%3C/text%3E%3C/svg%3E)
I'm running into a similar issue for mobile apps using email OTP.
Users are being prompted to reauthenticate after 24 hours of inactivity rather than the expected 90 days.
The app registration is configured for IOS and Android platforms (Not SPA).
Users authenticate using Email OTP.
Unlike the original reporter, I'm seeing a 1 day expiry rather than 12 hours.
The mobile app is using MSAL.NET v4.74.0 which is performing PKCE code flow.
Ideally I'd like the expiry to be configurable but I'd be happy with 90 days as per the documentation.
https://learn.microsoft.com/en-us/entra/identity-platform/refresh-tokens
Hopefully I just have something misconfigured as its going to be a show stopper for my mobile app if it isn't.
M``SAL.Xamarin.iOS.4.74.0.0.MsalUiRequiredException: ErrorCode: invalid_grant Microsoft.Identity.Client.MsalUiRequiredException: AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2025-09-08T17:57:57.6557470Z and was inactive for 1.00:00:00. Trace ID: 30f060ac-3549-4fc7-8661-34ed78480200 Correlation ID: 252009f8-1234-4148-9b57-f5ec45fdc55c Timestamp: 2025-09-09 20:44:36Z
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 80%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDR%3C/text%3E%3C/svg%3E)
@IanC
I wish it were a misconfiguration. I have had confirmation from my UK CSA at Microsoft that it is a BUG! The Entra External team need to look into this but it’s already been a while and no fix. It’s a major show stopper for mobile apps, we have had the same issue. The docs suggest it should be 90 days with the ability to silent refresh in MSAL to roll it over for up to one year before forcing login again (providing the user has activity in the app every 90 days). Whereas currently, as you’re also seeing, it expires within 24 hours. So we are stuck, because who is going to use a mobile app that requires you to be active in it every day or you’re logged out!? Unacceptable UX.
@Dan Rios Thanks for the reply. That's so frustrating, if it wasn't for this issue Extra External Id would have been perfect for my mobile app. But as it stands it's completely unworkable. No one will want to sign in every time they use the app.
I'm going to have to switch to a different identity provider. Does anyone have any low cost recommendations that support email OTP? Firebase?
Frustratingly, I've only recently migrated from Azure B2C which didn't have this issue but I'm not going back to something that has been depreciated :(
Do you know if there is a public bug/work item tracking this issue?
Unfortunately I don’t know of any cheap alternatives, mostly because I haven’t looked tbh. I have been trying to reach the External ID product group for a while with this issue. I am not aware of any roadmap or bug fix board we can view publicly. I will keep chasing my side and if I get any news I’ll update you as well!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 19%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAC%3C/text%3E%3C/svg%3E)
@Alon Catz I did manage to get through to them eventually and provided full details including this thread. They said they’d take a look but couldn’t provide a fix timeline. I will chase again soon and update when I get anything
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 37%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKB%3C/text%3E%3C/svg%3E)
This issue still persist when Android & iOS clients to signup and signin users with OTP authentication.
None of the above solutions are applicable to Entra EXTERNAL ID.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi @Niek Bijman , the default lifetime for refresh tokens in Azure AD B2C is 24 hours for single page apps and 90 days for all other scenarios, but there are other settings that can affect the lifetime of refresh tokens, such as refresh_token_lifetime and rolling_refresh_token_lifetime.
Make sure that the refresh_token_lifetime policy setting is set to the default value of 90 days. (Policies > Properties > Token Lifetime Policy) and set the value to 7776000 (90 days in seconds).
Check that the rolling_refresh_token_lifetime policy setting is not set to a value that is less than 12 hours. This setting determines the maximum amount of time that a user can use a refresh token without having to reauthenticate. If this value is set to a value that is less than 12 hours, it could cause the refresh token to expire prematurely.
Also verify that your app is using the correct scopes when requesting access tokens and refresh tokens. Make sure that you are requesting the offline_access scope when you authenticate the user. This is required to obtain a refresh token that can be used to obtain new access tokens without requiring the user to reauthenticate.
Please let me know if you have any questions and I can help you further.
If this answer helps you please mark "Accept Answer" so other users can reference it.
Thank you,
James
Hi @James Hamil ,
Your suggestion mentions Azure AD B2C, though I'm looking for a solution for refresh tokens using Entra External ID. As far as I know B2C is a separate offering from Entra External ID, unless setting policies in B2C somehow affects policies in Entra External ID?
In any case if I attempt to do the equivalent of what you suggested in Entra External ID I can only set AccessTokenLifetime. Any refresh token related properties (rolling_refresh_token_lifetime, refresh_token_lifetime) will result in this error response for the tokenPolicy endpoint. If you see mistakes in formatting or syntax in the request please let me know.
Request:
POST https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies
Authorization: Bearer <accessToken>
{
"definition": [
"{\"TokenLifetimePolicy\": {\"Version\": 1, \"AccessTokenLifetime\": \"23:59:59\"\"RefreshTokenLifetime\": \"90:00:00:00\",\"RollingRefreshTokenLifetime\": \"90:00:00:00\"}}"
],
"displayName": "default-refresh-token-policy",
"isOrganizationDefault": true
}
Response:
400: Bad Request
{
"error": {
"code": "Request_BadRequest",
"message": "Property definition has an invalid value.",
"details": [
{
"code": "InvalidValue",
"message": "Property definition has an invalid value.",
"target": "definition"
}
],
"innerError": {
"date": "2024-10-03T08:00:16",
"request-id": "<uuid>",
"client-request-id": "<uuid>"
}
}
}
The inability to set refresh token related values seems to be confirmed by this statement:
As of January 30, 2021 you cannot configure refresh and session token lifetimes
What should i do instead to configure refresh token lifetime longer than 12 hours for Entra External ID?
@Niek Bijman Oops! Sorry about that. Misread your question. For External ID you would have to use Sign-In Frequency control: https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-session-lifetime
Please let me know if you have any questions!
Hey James Hamil,
No worries thanks for helping out! Regarding Sign-In Frequency control I run into this issue which is on this thread where I added a comment.
The main issue i reference here
Hi @James Hamil The Session option in Conditional Access policy is disabled in Entra External ID (as @rosskoes05 & @Ryan Buening have mentioned), which prevents us from configuring the Sign-In Frequency in the way you suggested
So basically we can't configure Sign-In Frequency in Entra External ID because the Session option states 'Not Available' (see screenshot). Sign-in Frequency is defined under the session options, so since it's not available we can't change any Sign-In settings
Hi @James Hamil , would you be able to help or share it with someone who can help? If the answer is that External ID has 0 options to solve this problem then I can just move on and switch to B2C or other platforms.
As a last attempt we tried the browser delegated example to check whether it was the Native Authentication flow that was problematic.
Sample
ms-identity-ciam-browser-delegated-android-sample
However with the browser delegated sample we into the same refresh token limit of 12:00:00
We've decided to switch to Azure B2C to avoid dealing with this problem.
Hi @Niek Bijman , so sorry for the delay in response. Looks like this is a common issue that we may need to file a bug for.
Best,
James
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 84%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDS%3C/text%3E%3C/svg%3E)
I assume nobody has had a look into this issue by now?
Or is there any update the you can share @James Hamil ?
We also have this issue, we can't use otp with 12hr durations... we're looking at other products in the meantime.
This issue still persist when Android & iOS clients to signup and signin users with OTP authentication.
None of the above solutions are applicable to Entra EXTERNAL ID.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 17%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Is there still no update on this? This is a massive disappointment and huge waste of my time if this is the case.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 42%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
I have the same problem - did any of the suggestions mentioned above help?
Hey @Martin May ,
No unfortunately no answer that works yet. Check the comments on James's Hamil's answer for a continuation of the discussion.
The reason the proposed suggestions don't apply is because the suggestions are for Azure B2C, whereas I'm looking for an answer for Azure Entra External ID.
I suspect that this can't be changed for email OTP authentication as the documentation says that the maximum length of the session is 24 hours; it's logical that the lifetime of the refresh token is shortened to 12 hours.
https://learn.microsoft.com/en-us/entra/external-id/one-time-passcode#:~:text=One%2Dtime%20passcodes%20are,no%20longer%20needs%20access.
This seems to be hardcoded for quest accounts with OTP authentication.
I believe only using Entra B2C with email/password authentication can have longer sessions.
I don't think that documentation applies to Entra External ID native auth with OTP because:
The closest statement that i've found relating to refresh tokens for the external ID platform is this one: https://learn.microsoft.com/en-us/entra/identity-platform/refresh-tokens#token-lifetime
So i'll take microsoft on their word when they state:
The default lifetime for the refresh tokens is 24 hours for single page apps and 90 days for all other scenarios.
In the Azure AD B2C tenant, the token lifetime could be configured as part of "user flows" - but it seems to have been removed in Entra External ID.
Hi @Martin May , so sorry for the delay in response. I'm going to open a support ticket to look into this further.
Best,
James
Dear @James Hamil , no need for a ticket.
We use Azure B2C so far,
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 62%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
It's really bad for my app that my email OTP users have to log in every day. My users are both young and old people. I've switched to username/password instead. But the whole idea of them not having to create a password is now gone and it should be as easy as possible to sign up.
In my frustration, I considered creating an Azure B2C tenant, but you can't do that anymore, Microsoft has closed it down for new creations. They want you to use Microsoft Intra External ID instead.
I've tried setting up a policy for my app without success.
I really hope Microsoft fixes this bug soon. It's been almost a year now and it hasn't been fixed yet!
$policy = New-AzureADPolicy -Definition @('{"AccessTokenLifetime":"23:59:59","RefreshTokenLifetime":"90:00:00:00","RollingRefreshTokenLifetime":"90:00:00:00"}') -DisplayName "WebPolicyScenario" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
Get-AzureADPolicy -Id $policy.Id
$sp = Get-AzureADServicePrincipal -Filter "DisplayName eq 'XXX'"
Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id