For those organizations where you see frequent device authorization errors, check with your client whether they have enabled MFA settings such as “remember multi-factor authentication on trusted devices” or Conditional Policy on their Azure AD / M365. We have seen clients using these settings have faced this issue. The configured Policy / MFA Setting causes the device token to expire, so there is a credential error.
Settings can be checked by following “Azure Portal -> Users -> Per-user MFA -> Service Settings Tab”.
Also, you can check if the “Password expiration policy” is enabled on the tenant.
- Visit URL https://admin.microsoft.com/AdminPortal/Home?#/Settings/SecurityPrivacy
- Check password expiry is enabled after x number of days.
In the case that there is at least one global admin with Azure AD Premium License, conditional access can be created to configure the token expiry; otherwise, it follows the default configuration (90 Days) as explained by Microsoft (Configurable token lifetimes - Microsoft Entra ).
“AADSTS50173: The provided grant has expired due to it being revoked; a fresh auth token is needed. The user might have changed or reset their password.”
This error is due to a backup admin change or backup admin password change. If any AD Policy forces to expire or renew the backup admin / backup admin password during a specific interval, ask your client to exclude the Dropsuite Backup Admin from the policy.
|The refresh token is expired due to inactivity. The default period is 14 days, and we have a cron to renew the refresh token every 7 days. However, some tenants have a custom inactive period of less than 7 days. Another reason may be an issue on our side not renewing the refresh token due to an error in the cron.
|This is mainly on our side. We need to check our crons; we don't have any logs or reports like the last refresh tokens renewed time. And support renewing the tokens more often and configurable renewal times for the tenants with an active period of less than 7 days.
|The refresh token is invalid due to a policy configured in the Azure tenant. Our application or backup admin should be included in a policy that leads to the token expiry.
|Clients must exclude our application and backup admin from Conditional Policies in their tenant. If it happens for device tokens, it might be because "remember multi-factor authentication on trusted device" is enabled. Clients may need to disable this, create a conditional access policy, and exclude our backup admin.
|The user has reset or changed the password, or they have a password expiration policy.
|Customer needs to reauthenticate if they have reset or changed their password. If they have any password expiration policy, they can disable it from our backup admin.
|Either their org admin, who authenticated the main app, or our backup admin is deleted from the tenant.
|If their global admin is deleted, they must reauthenticate using a different org admin. If the backup admin is deleted, our system automatically creates a new one, and they need to set up MFA and reauthenticate using the new backup admin.
|Azure security defaults might be enabled in the tenant and admin setup MFA after authentication, leading to invalid tokens. If they reset the MFA device and reset the MFA on an org admin or backup admin, tokens will be invalid.
|The best way would be to turn off security defaults and use conditional access policies if they have an Azure premium license and exclude our app and the backup admin from the policy. If not, they need to reauthenticate whenever they update MFA settings.
|The refresh token has expired or is invalid due to sign-in frequency checks by conditional access or token lifetime configured.
|Clients need to exclude our app and backup admin from the policies if configured.