Refresh tokens expire after 12 hours using Microsoft Entra External ID native authentication with OTP

Question

Issue

We chose Microsoft Entra External ID for authenticating external consumers using CIAM

We're using these Android & iOS clients to signup and signin users with OTP authentication

ms-identity-ciam-native-auth-android-sample ms-identity-ciam-native-auth-ios-sample

In the backend we carefully followed the instructions to set up everything needed for the Native Authentication + OTP (one time passcode) user flow documented here.

We've run into an issue with the refresh tokens that we receive when using Native Authentication

Our expectation is that our refresh tokens should be valid for 90 days because we're not using a single page app (SPA)

The default lifetime for the refresh tokens is 24 hours for single page apps and 90 days for all other scenarios.

However our refresh tokens expire after 12 hours, which leads to a bad UX in our app due to forced repeated logins

AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2024-09-25T13:42:23.0482303Z and was inactive for 12:00:00.

Troubleshooting

We've tried to follow the recommended paths, but we got stuck pursuing each option:

• We can't configure the Token Lifetime Policies for Refresh Tokens and Session Tokens because as of January 30, 2021 these policies are not honored. This is reflected in the Graph API where any attempts to set refresh token related values with endpoint /policies/tokenLifetimePolicies result in the error:

{
    "error": {
        "code": "Request_BadRequest",
        "message": "Configure Token Lifetime for RT/ST (Refresh/Session Token) is retired and all policies will not be honored anymore Refer  https://go.microsoft.com/fwlink/?linkid=2153669 for more information",
        "details": [
            {
                "code": "UnsupportedPolicyProperty",
                "message": "Configure Token Lifetime for RT/ST (Refresh/Session Token) is retired and all policies will not be honored anymore Refer  https://go.microsoft.com/fwlink/?linkid=2153669 for more information",
                "target": "PolicyDetail"
            }
        ],
        "innerError": {
            "date": "2024-10-03T08:41:07",
            "request-id": "<uuid>",
            "client-request-id": "<uuid>"
        }
    }
}

• We can't configure Configure adaptive session lifetime policies or Sign-In Frequency Control because Session Controls are disabled in Entra External ID (Session control button is disabled with status: 'Not Available' )

Answer 1

Thank you for your feedback. We've confirmed this behavior of a 12h Refresh Token is impacting Microsoft Entra External ID, and it is specific to the Email OTP flow. It was caused by a change to Entra made for security. One workaround until it is addressed is to use a username/password flow.

Before relaxing the Refresh Token lifetime back to 90 days, the team currently has prioritized fixing Conditional Access for Session Controls in the Email OTP scenario. We are interested in your feedback, does your Email OTP scenario require Conditional Access policy such as MFA?