Announcing OAuth 2.0 support for IMAP and SMTP AUTH protocols in Exchange Online

I'll have to check, but from memory in mid-2017  MSFT announced this 90 days cut-off for new tenants,  but it applied to refresh tokens that hadn't been used during that time. I believe that regularly-accessed refresh tokens - whether for single or multifactor authentication - have indefinite life unless countermanded by a Conditional Access policy, but I think it was MSFT's intent even then to keep refresh tokens valid until revoked but instead to use Conditional Access to invalidate access by controlling sign-in frequency, i.e. instead of the refresh token having a life set centrally, its effective life depended on how often the user authenticated and also requested a new refresh token.