Question

Reauthorization required for Microsoft Office 365 OAuth mailbox, Refresh Token expired

  • 16 January 2024
  • 6 replies
  • 487 views

Badge

We are using FreshDesk with a couple of different O365 mailboxes, these mailboxes are integrated in FreshDesk via built in function to add O365 mailboxes

We experience that the credentials expire and when looking at the Sign In logs in Entra ID (Azure AD) I can see it complains about the refresh token has expired.

Is anyone else experiencing this issue and/or has a solution?

My thought was that the Refresh token should be refreshed at each login which happens multiple times per day, according to the logs.

Clicking the “Sign in with Microsoft”-button and logging in again solves the problem, until the next time, I think 90 days later which is a time out value in O365 so seems likely. But question remains, should not the token be renewed bye FreshDesk when fetching/sending mails?


6 replies

We got bit by this before as well. Did some reading, but I don’t think there’s any real automatic way around it. (might be possible using conditional access policies?)

https://learn.microsoft.com/en-us/entra/identity-platform/refresh-tokens
https://learn.microsoft.com/en-us/entra/identity-platform/configurable-token-lifetimes

“As of January 30, 2021 you cannot configure refresh and session token lifetimes. Microsoft Entra no longer honors refresh and session token configuration in existing policies.”
“persistent session tokens have a Max Inactive Time of 90 days”

 

In the mean-time we’ve just set a calendar reminder every 80 days so someone remembers to re-auth.

 

Solution 

To address the recurring "Something went wrong" error despite successful reauthorization of a support email, a temporary workaround involves the following steps. Firstly, navigate to Admin > Emails and designate a different support email, or a dummy email, as the primary support email temporarily. This action should be indicated by clicking the STAR icon. Subsequently, the original support email, which requires reauthorization, will become secondary. Proceed to reauthorize this email (support@domain.com). Upon completion, the previously designated support email can be reverted to the primary status by clicking the STAR icon.

Kind Regards Thomas

Badge

@Haenggi Not sure how that would help my issue with having to reauthorize all the time? Besides we  already have multiple email accounts enabled and they intermittently requires reauthorization.

@ Patrik: I agree with you. I also placed a feature request to the developers team (freshworks) to enable oauth Authentication for IMAP (Customize your own Mail Server). Hopefully this will help.

 

 

Userlevel 2
Badge +4

@patrik.nordlund Greetings, Thanks for reaching Freshworks community.

As per Microsoft policy, the refresh token will expire every 90 days, as mentioned in the forum below.
https://learn.microsoft.com/en-us/answers/questions/836861/does-the-refresh-token-expires-after-90-days-irres

 

When the token expires, the mailbox will get disconnected, and users will be prompted with a reauthorization banner to perform reauthorization. Upon entering the credentials and reauthorizing, a new refresh token will be automatically generated, which will be valid for another 90 days. I am afraid this restriction is imposed by Microsoft and is not account-specific.

 

Thank you,

Sujitha. 

Hello Sujithia, 

Are there any known work arounds that can be configured on the Microsoft side to avoid the expiration. 

I am now forced to set reminders to manually re-authenticate to avoid the mail server failure. 

Thank you

Reply