Microsoft OAuth refresh token invalid_grant — What it means & how to fix it
How to diagnose and fix Microsoft OAuth refresh token invalid_grant errors
"error": "invalid_grant", "error_description": "AADSTS700082: The refresh token has expired due to inactivity."
If you integrate with Microsoft (Entra ID / Microsoft identity platform) using OAuth 2.0, you will eventually hit a refresh failure. It often appears as invalid_grant, and it can break scheduled jobs, background syncs, or user-triggered actions until you recover.
This guide explains how Microsoft reports refresh failures, the most common underlying causes, and how to restore access without guesswork.
Spot the error
When your backend POSTs to https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token to swap a refresh token for a new access token, Microsoft can answer with HTTP error code 400:
Microsoft OAuth refresh error
📋
{
"error": "invalid_grant",
"error_description": "Token has been expired or revoked."
}
That single JSON payload means the refresh token is unusable. Microsoft often embeds an AADSTS code in error_description, which tells you why the refresh failed.
These are the AADSTS codes you’ll see most often:
- AADSTS70008 / AADSTS700082: Refresh token expired due to inactivity.
- AADSTS700084: Refresh token issued to a SPA has expired (fixed lifetime).
- AADSTS50173: The grant was revoked (often after password reset or credential change).
- AADSTS50076 / AADSTS50158: Conditional Access / MFA required → interactive sign-in needed.
- AADSTS70000: Invalid grant (refresh token invalid or token-binding issues).
Why was the refresh token rejected?
In Microsoft’s ecosystem, refresh tokens can fail for lifecycle, security, or policy reasons. The most common categories are below.
1) Inactivity expiration
Refresh tokens expire if they go unused for too long. This is a frequent cause when integrations pause or customers churn and later return.
2) Fixed lifetime for SPA refresh tokens
Refresh tokens issued to SPAs have a fixed, short lifetime and cannot be extended. Once expired, the only fix is interactive re-auth.
3) Credential changes or account security events
If a user changes or resets their password, or if a security event occurs, Microsoft can revoke existing refresh tokens. This commonly shows up as AADSTS50173.
4) Admin or user revocation
An admin can revoke user sessions, remove consent, or disable the user account. Any of these actions invalidate refresh tokens immediately.
5) Conditional Access / MFA policy changes
New policies can require fresh interactive authentication. Refresh tokens then fail until the user completes the required challenge.
How to fix it
1. Read the AADSTS code
The AADSTS code usually tells you whether this was inactivity, SPA lifetime, revocation, or policy change.
2. Check recent tenant/user changes
Password resets, account disables, or admin policy changes are common culprits.
3. Not a transient issue? Re-authenticate
Once you confirm the token was revoked or expired, the only fix is to send the user through OAuth again.
Retry once (to cover rare partial failures). If it fails again, mark the connection as re-auth required and stop background refresh attempts.
How to prevent refresh token issues
A few engineering habits go a long way:
- Track refresh token age and inactivity windows
Microsoft refresh tokens can expire when they sit idle. - Store the newest tokens atomically
Always persist refreshed tokens immediately after each successful refresh. - Handle Conditional Access changes
Fall back to interactive sign-in when policies change. - Monitor AADSTS code spikes
Look for patterns to catch policy changes or mass revocations early. - Build a reconnect UX
Make it easy for users to re-authorize when refresh fails.
Skip the headache, let Nango refresh for you
Nango is an open-source auth layer that handles OAuth token lifecycle management in production:
- Secure storage for access + refresh tokens
- Automatic access-token refresh
- Concurrency-safe refresh logic
- Clear signals when a connection needs re-auth
If you’re building a Microsoft API integration and tired of token lifecycle edge cases, Nango can manage the refresh pipeline so you can focus on product.
