Failure to generate access token using refresh token for O365 API

Question

I'm getting invalid_grant error while generating access token using refresh token

POST https://login.microsoftonline.com/common/oauth2/v2.0/token

Response

{
  "error": "invalid_grant",
  "error_description":
    "AADSTS50173: The provided grant has expired due to it being revoked. The user might have changed or reset their password. The grant was issued on '2018-06-13T23:20:02.9860000Z' and the TokensValidFrom date for this user is '2018-06-15T17:21:11.0000000Z'\r\nTrace ID: 4237d0b8-51fe-43c2-9b5c-ca9148175400\r\nCorrelation ID: d192091b-6277-4ef9-859a-87ba7f87491a\r\nTimestamp: 2018-06-18 07:22:59Z",
  "error_codes": [50173],
  "timestamp": "2018-06-18 07:22:59Z",
  "trace_id": "4237d0b8-51fe-43c2-9b5c-ca9148175400",
  "correlation_id": "d192091b-6277-4ef9-859a-87ba7f87491a"
}

The user was asked to change password and the password was changed. Seeing this error even after the password is changed. Will the refresh token become invalid in this case?

Answer 1

If you get this error while using the azure-cli You can fix it by:

az account clear

az login

That happened because after you change your password, tokens that are based on passwords will expire. Then you need to clear your account and log in again.

More information here

Answer 2

Yes, refresh tokens will become invalid after a password change.
Only non-password based tokens will stay valid.

(see active directory token documentation for more information)

Answer 3

Environment: Office 365 - Okta - On-premise Active Directory.

Error message:

The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '{authTime}' and the TokensValidFrom date (before which tokens are not valid) for this user is '{validDate}'.

Workaround:

All you need to do is temporarily change the user’s UserPrincipalName to that of a managed domain, update the password and then change the UserPrincipalName back to the federated domain.

First step is you will need to get the user's ObjectId and UserPrincipalName.

1. Run this command to get the ObjectId and the user's UserPrincipalName:

   Get-AzureADUser -SearchString pat.doe
   

2. Now, run the following command to change UPN to a managed domain:

   Set-AzureADUser -ObjectId 11bb4111-11a0-1114-8501-111180bf51d3 -UserPrincipalName [email protected]
   

3. Next, update the password with the following command:

   Set-AzureADUserPassword -ObjectId 11bb4111-11a0-1114-8501-111180bf51d3
   

4. Change the UPN back to the federated domain. Run the following command:

   Set-AzureADUser -ObjectId 11bb4111-11a0-1114-8501-111180bf51d3 -UserPrincipalName [email protected]
   

That’s it. Now, reset the password in Okta or the Authoritative source (Active Directory).