SOLVED

Refresh Token

%3CLINGO-SUB%20id%3D%22lingo-sub-2980705%22%20slang%3D%22en-US%22%3ERefresh%20Token%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2980705%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%2C%3C%2FP%3E%3CP%3EDoes%20anybody%20been%20facing%20the%20same%20issue%3F%3C%2FP%3E%3CP%3EI%20have%20read%20some%20of%20the%20documentation%20but%20I%20could%20not%20find%20the%20answer%20that%20meets%20the%20problem.%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3EI%20do%20appreciate%20your%20assistance.%3C%2FP%3E%3CP%3EBased%20on%20the%20information%20you%20provided%20we%20have%20identified%20the%20following%20issue%20and%20recommend%20taking%20the%20action%20to%20resolve%20the%20issue.%3C%2FP%3E%3CP%3E%3CSTRONG%3EError%20Code%3A%3C%2FSTRONG%3E%2050173%3C%2FP%3E%3CP%3E%3CSTRONG%3EMessage%3A%3C%2FSTRONG%3E%20The%20provided%20grant%20has%20expired%20due%20to%20it%20being%20revoked%2C%20a%20fresh%20auth%20token%20is%20needed.%20The%20user%20might%20have%20changed%20or%20reset%20their%20password.%20The%20grant%20was%20issued%20on%20'%7BauthTime%7D'%20and%20the%20TokensValidFrom%20date%20(before%20which%20tokens%20are%20not%20valid)%20for%20this%20user%20is%20'%7BvalidDate%7D'.%3C%2FP%3E%3CP%3E%3CSTRONG%3EAction%3A%3C%2FSTRONG%3E%20Expected%20part%20of%20the%20token%20lifecycle%20-%20either%20an%20admin%20or%20a%20user%20revoked%20the%20tokens%20for%20this%20user%2C%20causing%20subsequent%20token%20refreshes%20to%20fail%20and%20require%20re-authentication.%20Have%20the%20user%20sign-in%20again%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2980705%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ERefresh%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2984326%22%20slang%3D%22en-US%22%3ERe%3A%20Refresh%20Token%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2984326%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1198773%22%20target%3D%22_blank%22%3E%40Khaled_Arafat%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20are%20getting%20this%20error%20since%20your%20Refresh%20Token%20has%20been%20expired%20(I%20am%20sure%2C%20you%20already%20know%20this).%20By%20default%2C%20the%20lifetime%20for%20the%20refresh%20token%20is%2090%20days.%20The%20refresh%20token%20can%20be%20expired%20due%20to%20either%20if%20the%20password%20changed%20for%20the%20user%20or%20the%20token%20has%20been%20revoked%20either%20by%20user%20or%20admin%20through%20PowerShell%20or%20Azure%20AD%20portal.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESee%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Frefresh-tokens%23revocation%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ethis%3C%2FA%3E%20post%20to%20know%20more%20about%20Refresh%20Token%20Expiration%20%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Frefresh-tokens%23revocation%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ERefresh%20Token%20Revocation%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20your%20token%20not%20expired%20by%20anyone%20of%20the%20listed%20method%20in%20the%20above%20post%2C%20then%20confirm%20that%20you%20have%20configured%20%3CSTRONG%3EConditional%20Access%20policy%3C%2FSTRONG%3E%20and%20configured%20the%20%3CSTRONG%3ESession%20-%26gt%3B%26nbsp%3BSign-in%20frequency%3C%2FSTRONG%3E%20control.%20This%20is%20an%20another%20way%20to%20control%20user%20Refresh%20Token%20and%20force%20user%20to%20sign-in%20again.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERefer%20the%20below%20post%20to%20know%20more%20about%20Authentication%20session%20management%20with%20Conditional%20Access.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fhowto-conditional-access-session-lifetime%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fhowto-conditional-access-session-lifetime%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2985153%22%20slang%3D%22en-US%22%3ERe%3A%20Refresh%20Token%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2985153%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F38365%22%20target%3D%22_blank%22%3E%40Kevin%20Morgan%3C%2FA%3E%3CBR%20%2F%3EThank%20you%20for%20your%20answer%3CBR%20%2F%3EI%20ran%20this%20Powershell%20command%3CBR%20%2F%3ERevoke-AzureADUserAllRefreshToken%20-ObjectId%20dsafsi4r5u6w4wt4h%3CBR%20%2F%3EI'm%20waiting%20for%20user%20confirmation.%3CBR%20%2F%3E%3CBR%20%2F%3ERegards%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3ERegards%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi ,

Does anybody been facing the same issue?

I have read some of the documentation but I could not find the answer that meets the problem.   

I do appreciate your assistance.

Based on the information you provided we have identified the following issue and recommend taking the action to resolve the issue.

Error Code: 50173

Message: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '{authTime}' and the TokensValidFrom date (before which tokens are not valid) for this user is '{validDate}'.

Action: Expected part of the token lifecycle - either an admin or a user revoked the tokens for this user, causing subsequent token refreshes to fail and require re-authentication. Have the user sign-in again

 

 

Regards 

3 Replies
best response confirmed by Khaled_Arafat (Occasional Contributor)
Solution

@Khaled_Arafat 

 

You are getting this error since your Refresh Token has been expired (I am sure, you already know this). By default, the lifetime for the refresh token is 90 days. The refresh token can be expired due to either if the password changed for the user or the token has been revoked either by user or admin through PowerShell or Azure AD portal.

 

See this post to know more about Refresh Token Expiration : Refresh Token Revocation 

 

If your token not expired by anyone of the listed method in the above post, then confirm that you have configured Conditional Access policy and configured the Session -> Sign-in frequency control. This is an another way to control user Refresh Token and force user to sign-in again.

 

Refer the below post to know more about Authentication session management with Conditional Access.

 

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-...

@Kevin Morgan
Thank you for your answer
I ran this Powershell command
Revoke-AzureADUserAllRefreshToken -ObjectId dsafsi4r5u6w4wt4h
I'm waiting for user confirmation.

Regards


Regards
Hi @Kevin Morgan
It worked thank you for your assistance.
My user is now able to log in.

Regards