Microsoft Entra ID uses different tokens for different purposes. A general feature of tokens is that they keep logins active. More information can also be found in my article Demystifying Authentication in Microsoft Entra ID.

Expiration and revocation of tokens in Microsoft Entra ID

Let’s take a look at the basic types of tokens in Microsoft Entra ID and their expiration and possible revocation options.

Access tokens

The default expiration time for access tokens in Microsoft Entra ID is 1 hour. Access tokens in Microsoft Entra ID cannot be revoked in any way. The only option would be to manually delete the tokens directly on the device.

Because of the inability to invalidate access tokens, Microsoft came up with a technology called Continuous Access Evaluation (CAE). Continuous Access Evaluation allows you to invalidate tokens in near real-time. Unfortunately, not all applications support Continuous Access Evaluation.

When the access token expires, a process is invoked in the background that uses the refresh token to request Microsoft Entra ID to issue a new set of tokens. At that point, it is verified that the login is still valid and that no conditions have changed.

Refresh tokens

Refresh tokens are valid for 90 days by default in most cases. Refresh tokens are used to issue new access tokens, more specifically to issue a new set of access + refresh token.

Refresh tokens can be invalidated. Either through Microsoft Entra admin center, or by using PowerShell or Microsoft Graph.

  • Revoke all refresh tokens via Microsoft Entra admin center
  • Revoke all refresh tokens via PowerShell
  • Revoke all refresh tokens via Microsoft Graph

Session tokens

Most browser-based applications use session tokens instead of access and refresh tokens. Session tokens are stored in the form of cookies.

When a user opens a browser and authenticates to an application via Microsoft Entra ID, the user receives two session tokens. One from Microsoft Entra ID and another from the application.

The problem with session tokens is that the duration is controlled by the application the user is accessing. Therefore, authentication can be valid until the application itself sends a revalidation request to Microsoft Entra ID.

This results in Microsoft Entra ID not being able to perform even revocation of already issued session tokens. Again, only the application can invalidate them.

Primary Refresh Tokens

Primary Refresh Tokens are invalidated by the following events:

  • User is deleted or disabled in Microsoft Entra ID
  • Device is deleted or disabled in Microsoft Entra ID
  • User password is changed in Microsoft Entra ID. This option only applies if the user used their password to obtain the original Primary Refresh Token. If the password was not used to obtain the Primary Refresh Token, then changing the password will not invalidate the Primary Refresh Token.
  • TPM issues