AADSTS70008 when trying to activate Office Applications

%3CLINGO-SUB%20id%3D%22lingo-sub-2223126%22%20slang%3D%22en-US%22%3EAADSTS70008%20when%20trying%20to%20activate%20Office%20Applications%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2223126%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20an%20Office%20365%20user%20on%20my%20tenant%20who%20can%20logon%20to%20Office%20web%20applications%20at%20portal.office.com%20and%20they%20work%20fine.%20He%20has%20an%20E5%20license.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20he%20goes%20to%20activate%20his%20desktop%20applications%2C%20whether%20Word%2C%20Excel%20or%20Outlook%2C%20he%20gets%20an%20error.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3C%2FP%3E%3CP%3EMessage%3A%26nbsp%3B%20AADSTS70008%3A%20The%20provided%20authorization%20code%20or%20refresh%20token%20has%20expired%20due%20to%20inactivity.%20Send%20a%20new%20interactive%20authorization%20request%20for%20this%20user%20and%20resource.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%20some%20explanatory%20notes%20around.%20Specifically%20this%20one%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CTABLE%3E%3CTBODY%3E%3CTR%3E%3CTD%3E%3CP%3EError%20Code%3C%2FP%3E%3C%2FTD%3E%3CTD%3E%3CP%3E70008%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E%3CP%3EMessage%3C%2FP%3E%3C%2FTD%3E%3CTD%3E%3CP%3EThe%20provided%20authorization%20code%20or%20refresh%20token%20has%20expired%20due%20to%20inactivity.%20Send%20a%20new%20interactive%20authorization%20request%20for%20this%20user%20and%20resource.%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E%3CP%3ERemediation%3C%2FP%3E%3C%2FTD%3E%3CTD%3E%3CP%3EExpected%20-%20auth%20codes%2C%20refresh%20tokens%2C%20and%20sessions%20expire%20over%20time%20or%20are%20revoked%20by%20the%20user%20or%20an%20admin.%20The%20app%20will%20request%20a%20new%20login%20from%20the%20user.%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20expectation%20would%20be%20if%20his%20Azure%20AD%20token%20had%20expired%20then%20he%20shouldn't%20be%20able%20to%20login%20to%20the%20web%20portal%20with%20the%20same%20ID.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20seen%20this%3F%20Any%20ideas%20on%20specifically%20troubleshooting%20this%20with%20respect%20to%20applications%20rather%20than%20just%20access%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIdeas%20welcome.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStephen%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2223126%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20Apps%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Hi 

 

I have an Office 365 user on my tenant who can logon to Office web applications at portal.office.com and they work fine. He has an E5 license. 

 

When he goes to activate his desktop applications, whether Word, Excel or Outlook, he gets an error. 

 

"

Message:  AADSTS70008: The provided authorization code or refresh token has expired due to inactivity. Send a new interactive authorization request for this user and resource."

 

There are some explanatory notes around. Specifically this one;

 

Error Code

70008

Message

The provided authorization code or refresh token has expired due to inactivity. Send a new interactive authorization request for this user and resource.

Remediation

Expected - auth codes, refresh tokens, and sessions expire over time or are revoked by the user or an admin. The app will request a new login from the user.

 

My expectation would be if his Azure AD token had expired then he shouldn't be able to login to the web portal with the same ID. 

 

Has anyone seen this? Any ideas on specifically troubleshooting this with respect to applications rather than just access?

 

Ideas welcome.

 

Stephen

 

3 Replies
I think you can get some cues on that link : https://www.microsoftpartnercommunity.com/t5/Multi-Factor-Authentication-MFA/OAuth-Refresh-token-has...

Simple test : did you try disable 2FA for that account? Just reset his credentials, check the connexion and after that re-enable 2FA?

Did you try
The user currently doesn't have 2FA enabled. The user did do a password change. However, I possibly need to explore that again because the user can do this and it can be forced by the service desk.
Just to add to this.

The problem was eventually tracked to office activation. Specifically removing this registry key in Office proved to be the winner.

HKLM\Software\Microsoft\Office\16\Common\Identity

The Microsoft documentation to support this is here;

https://docs.microsoft.com/en-us/office/troubleshoot/activation/reset-office-365-proplus-activation-...

I hope it helps someone else stumbling onto this post.