I'm aware that the Office 365 refresh tokens expire when the user changes their password, but I'm seeing them expire almost weekly for my customers.
Is there something I've misconfigured when setting up my OAuth2 app in Azure?
Usually, the access token lasts 1 hours, the refresh token lasts 14 days.
According to the document Authorization Code Grant Flow, the lifetime of refresh token varies based on policy settings. In this case, you may check the Azure AD policy settings.
The lifetime of the refresh token is not provided and varies based on policy settings and the time when the authorization code grant is revoked by Azure AD. The application should expect and handle cases when the request for a new access token fails. In that case, it should return to the code that requests a new access token.
When the access token expires, you can use the Refresh Token to Request a New Access Token. The response including a new access token and a new refresh token.
The old refresh token will last 14 days, as a workaround, you can use the new refresh token which will lasts another 14 days.