Fixing AADSTS700082: refresh tokens expiring after 12 hours in Azure Entra External ID

At libelo we use Azure Entra External ID (CIAM) (Customer Identity and Access Management) as the identity provider for our React Native mobile app. We use the Native Authentication API for email + password and the browser-delegated flow for Google and Apple federation. All three flows request offline_access to get a refresh token, exactly as the documentation prescribes for a native/public client.

After our first 'friends & family' release, we started seeing users being logged out of the app overnight. Open the app the next morning, get prompted to sign in again, close the app. Not great for the experience.

The cause was a refresh token lifetime that did not match what the docs describe. This post explains the symptom, what we ruled out, and the actual fix - which turns out to be a configuration setting in Conditional Access, not a bug (anymore) in External ID.

If you arrived here because you are seeing AADSTS700082 with "The refresh token has expired due to inactivity" and exactly 12:00:00 of inactivity reported in the error message, you are in the right place.

Fixing AADSTS700082: refresh tokens expiring after 12 hours in Azure Entra External ID

Other newsrooms on this story

Related reading

Microsoft’s Entra ID vulnerabilities could have been catastrophic

Other newsrooms on this story

Related reading

Microsoft’s Entra ID vulnerabilities could have been catastrophic

Expanded OIDC support for Dependabot and code scanning - GitHub Changelog

Microsoft Authenticator: Critical vulnerability allows token theft

Microsoft Authenticator: Kritische Sicherheitslücke ermöglicht Token-Diebstahl

Microsoft Self-Service Password Reset abused in Azure data theft attacks

Account Recovery Becomes a Major Source of Workforce Identity Breaches