Microsoft Graph API not returning refresh token

Question

I created an app on https://apps.dev.microsoft.com

with the following Application Permissions:

Calendars.Read (Admin Only) Calendars.ReadWrite (Admin Only) User.Read.All (Admin Only)

The following is the only flow that has worked for me to be able to subscribe to notifications of another user, on another tenant, as described here

Admin Consent

Admin consent was then successfully granted via this URL

https://login.microsoftonline.com/common/adminconsent?client_id=bbb35336-faee-4c10-84b4-34136634db41&state=1234&redirect_uri=https%3A%2F%2Fdashmeetings.com%2Fmicrosoft%2Foauth

Get access token

An access token was then obtained from

POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token

with headers

Content-Type=application/x-www-form-urlencoded

with {tenant} the value of tenant returned in the callback url,

and body with key-value pairs

grant_type=client_credentials
client_id=bbb35336-faee-4c10-84b4-34136634db41
client_secret=xxx
scope=https://graph.microsoft.com/.default

This returns an access token, but not a refresh token.

I think this might be because offline_access isn't requested.

How can I get a refresh token?

Answer 1

You're partially correct, you will only receive a refresh_token if you request the offline_access scope and you are using the authorization_code grant flow.

Refresh tokens are not available when using the implicit grant and are unnecessary when using the client_credentials grant. When using client_credentials there isn't a user authenticated and therefore there isn't a need to "refresh" a token since you can simply request a new token when needed.