Ever since we announced our intention to disable Basic Authentication in Exchange Online we said that we would add Modern Auth (OAuth 2.0) support for the IMAP, POP and SMTP AUTH protocols.
Today,...
Updated Jun 30, 2022
Version 6.0
Blog Post
1 MIN READ
Announcing OAuth 2.0 support for IMAP and SMTP AUTH protocols in Exchange Online
Tnx luberth. No, we are not updating the refresh token each time it is used: offline_access scope (which nudges the endpoint to return a new refresh token) was only specified when the system went live - and now manually every 89 days ! We were relying on the statement in https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes that the default 90-day automatic revocation was 'Refresh Token Max Inactive Time' and otherwise the token was valid until revoked by events other than lifetime.
In https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#successful-response-3 it is stated: "Refresh tokens for web apps and native apps do not have specified lifetimes"
Our refresh tokens used daily to obtain access tokens are clearly not inactive but are nevertheless being automatically revoked.