Unanswered

The refresh token has expired due to inactivity.

(0) Share

Report

Posted on by TV-21110834-0

Hello, I think you are my last hope.

I got a PowerApps app using multiples flows. Both the app and the flows were built by a service provider, which we end to cooperate meanwhile - for a big part due to this issue. The application is stored on an internal service account, with powerapps premium licence, which used to have MFA activated prior to Microsoft enforced rules.

One of the flow regularly (up to 2/10) ends with following error, since the beginning. When it does, it is ALWAYS in 2 particular spots of the flow :

The error is the following, in both cases (I replaced the office365users id from source by a *, maybe there's a way to identify me) :

{

"status": 401,

"source": "https://europe-002.token.azure-apim.net:443/tokens/europe-002/office365users/*/exchange",

"message": "Error from token exchange: Runtime call was blocked because connection has error status: Enabled| Error, and office365users is in the block list. Connection errors: [ParameterName: token, Error: Code: Unauthorized, Message: 'Failed to refresh access token for service: office365usercertificate. Correlation Id=916427d6-b7cf-41fa-a726-75e034947e32, UTC TimeStamp=11/21/2024 10:51:42 AM, Error: Failed to acquire token from AAD: {\"error\":\"invalid_grant\",\"error_description\":\"AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2024-06-28T21:07:26.5536738Z and was inactive for 90.00:00:00. Trace ID: 177795df-5f06-4414-bc32-10f550c70b00 Correlation ID: 4e34e3f6-6607-46e9-ba65-5a6bb03dd8d7 Timestamp: 2024-11-21 10:51:42Z\",\"error_codes\":[700082],\"timestamp\":\"2024-11-21 10:51:42Z\",\"trace_id\":\"177795df-5f06-4414-bc32-10f550c70b00\",\"correlation_id\":\"4e34e3f6-6607-46e9-ba65-5a6bb03dd8d7\",\"error_uri\":\"https://login.windows.net/error?code=700082\"}']"

}

From what I understand from my own readings, such issue can happen from :

- the account is using MFA;

- the application connections are broken;

The account USED TO have MFA activated - but doesn't have anymore (Entra account infos for that account, showing no effective MFA stuff) :

The applications connexions don't seem broken aswell (they were doubled for no specific reason by the service provider) :

I read more about the refresh tokens and our issues, and it looks like :

- we hit a boundary of 90 days, which is the regular lifetime expectancy of a refresh token

- the connexion seems to use old refresh tokens, but most of time it doesn't

- the old refresh tokens seem to never refresh - I suppose when you got such mechanism, deprecated tokens are supposed to be DELETED and replaced with new ? not simply stacking in the pool ?

- there is only one try and it instantly fails the flow if the token is invalid

- the service account got a pool of refresh tokens, and we got multiple old refresh tokens running (since date of refresh token is sometimes different, I counted at least 4 differents dates, and sometimes it's the same)

We're stucked with that issue since few months, and I'm currently working on that matter with a Microsoft tech since almost 2 months - with 0 special progress whatsoever.

Do you ppl would have any sort of idea to unblock this situation ? Wasted time on that matter is incredible for such "basic" thing which would work flawlessly due to the very basic needs of getting a connection for almost anything.

Optional questions :

- Is there a way to DELETE/REFRESH refresh tokens out of an account ? If following command is supposed to work Revoke-AzureADUserAllRefreshToken (AzureAD) | Microsoft Learn, what are the downfalls using it ? How will my application act after running it (actual waiting flows, notably - but will it generate new refresh tokens aswell ?) The application is in production.

- Is there a way to see actual pool of refresh tokens out of an account ?

I would like to use my work time better checking if a flow failed, launching it manually back - seeing it failing again and calling the victim to tell to redo his request... To *eventually* get another fail.

Ty for any type of answer.

Categories:

Building flows

I have the same question (0)

All responses (5)

Answers (0)

WBADAM03 179 on at

Like (0)

Report

Sorry to reply so late, have you had any luck?

I am having the same problems. We implemented MFA on all accounts and that correlates with when I started having this problem. I have an open ticket with MS but our reps have not been helpful and have no resolved the problem after a month.

They have an open issue: Power Platform admin center , it says "Resolved" but I have seen the problem as recently as a week ago.

Was this reply helpful? Yes No
TV-21110834-0 17 on at

Like (0)

Report

Hello WBADAM03 and ty for your interest,

my ticket over PowerApps platform #2409250050000629 ended today (opened the 26th september, btw), said technician rerouted me to Sharepoint platform stating since Sharepoint logic brick ends with an issue, it's probably it - even if I told him the M365 logic brick was also sending the same type of issue.

I ran 2 technicians for ~1h30 over 3 months, they were basically clueless - logged twice to see my computer screen over a 3 months span - the first one told me he raised the value of fails over my flows, the second rerouted me to sharepoint platform, and that's it. Not even a decent hotfix.

I still have periodic issues (still the 20% lossrate ratio), and it's not bound to a single flow, but multiple. The used tokens are always on the same date (around may/june 2024 and often the same date), so I believe PowerApps generated and STORED tokens, and re-use them over and over.

Unfortunately I'm not a Microsoft tech, and the real ones seem even more clueless than me, so...

I don't even know if MFA is actually involved or not on this matter, it could be interesting to test your flow on another, never MFA-ed account, and see if it runs fine. The application I run over is too complex for me, it runs multiple imbricated flows and is linked to an app. I can't simply test/move it, I got other tasks to do on my job, and I don't have enough knowledge/time to rebuild from zero.

I too managed to find your pinned Microsoft issue, the solution is simply impossible to run for me, we use flows as a side system of an application, people are expected to use that application, not running themselves failed flows. And even running back failed flows make them fail again, in 90% of time. Also, it was definitively not fixed, I ran the exact same issue around 19h december.

Was this reply helpful? Yes No
TV-21110834-0 17 on at

Like (0)

Report
At the date of 24/01/25, 4 months later the first issue, I still have the exact, same issue.

Error from token exchange: Runtime call was blocked because connection has error status: Enabled| Error, and sharepointonline is in the block list. Connection errors: [ParameterName: token, Error: Code: Unauthorized, Message: 'Failed to refresh access token for service: sharepointonlinecertificatev2. Correlation Id=3ef1bc19-884a-4786-a044-fa7f2d198d01, UTC TimeStamp=1/23/2025 1:42:33 PM, Error: Failed to acquire token from AAD: {"error":"invalid_grant","error_description":"AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2024-05-12T10:14:01.3157646Z and was inactive for 90.00:00:00. Trace ID: 8819be5c-98ea-47ee-aec4-f9767fd20d00 Correlation ID: ef1f0fa3-e96a-460a-9487-1ec7a0b882d6 Timestamp: 2025-01-23 13:42:33Z","error_codes":[700082],"timestamp":"2025-01-23 13:42:33Z","trace_id":"8819be5c-98ea-47ee-aec4-f9767fd20d00","correlation_id":"ef1f0fa3-e96a-460a-9487-1ec7a0b882d6","error_uri":"https://login.windows.net/error?code=700082"}']

Added to that, I can say :

It's not bound to a unique brick logic, actually Office 365, Sharepoint and Outlook bricks can trigger it.

It's not bound to a flow, 3 of my flows are affected the same way.
Used deprecated refresh tokens seem to stay the same, around may/june 2024.

I ran a Revoke-AzureADUserAllRefreshToken -ObjectId over the service account, which requested me to reconnect all connexions, without any improvement

Was this reply helpful? Yes No
TV-21110834-0 17 on at

Like (0)

Report

At the date of 21/03/25, I still got the issue. It impacts all flows of my account.

I generated back all connexions on the service account AND connexions references on the solution. We also tried with a Microsoft "engineer" (basically a tech lvl 1 reading internal knowledge base) to use another account, generate connexions from here, use them into my reference connexions of my application -still failing with refresh access tokens issue.

I managed to get 3 different "engineer teams", and the answers are kinda speechless :

- first ticket : first dude was sick half the time, and the second dude told me it was a Sharepoint issue and I had to adress to sharepoint team ;

- second ticket : the dude ended saying it wasn't related to powerapps, but powerautomate so he asked me to make a ticket to powerautomate team ; the problem is when we did it together, it basically generated a ticket... On his own support team.

- third ticket : the dude gave me a "solution" which I, myself, was able to generate from Copilot (and he is probably unable, technically, to apply to my case), and he is telling me it's due to Outlook (?!).

I got that issue since almost 8 months. Can't I have a real support from an actual Microsoft * engineer * ?

Was this reply helpful? Yes No
TV-21110834-0 17 on at

Like (0)

Report
At the date of 06/05/2025, my application is still using refresh access tokens issued in may 2024.

All connexions were re-done from zero

All references on my application solution were redone

The mail sending thing was redone

Another test account with another premium licence was used to generate connexions

and I STILL GOT THIS ISSUE.

{

  "status": 401,

  "source": "https://europe-002.token.azure-apim.net:443/tokens/europe-002/office365/d1f2fd6e7e594326a1688eb0c0f1ce61/exchange",

  "message": "Error from token exchange: Runtime call was blocked because connection has error status: Enabled| Error, and office365 is in the block list. Connection errors: [ParameterName: token, Error: Code: Unauthorized, Message: 'Failed to refresh access token for service: aadcertificate. Correlation Id=23e97a90-6e10-431f-a4c7-1cd7e763abe8, UTC TimeStamp=5/6/2025 2:29:18 PM, Error: Failed to acquire token from AAD: {\"error\":\"invalid_grant\",\"error_description\":\"AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2024-05-21T16:40:52.6750601Z and was inactive for 90.00:00:00. Trace ID: c6161fb8-c90e-472c-b7f7-6c446de65a00 Correlation ID: 6d78e911-10cf-4ad7-bf8b-9ff1d470d363 Timestamp: 2025-05-06 14:29:18Z\",\"error_codes\":[700082],\"timestamp\":\"2025-05-06 14:29:18Z\",\"trace_id\":\"c6161fb8-c90e-472c-b7f7-6c446de65a00\",\"correlation_id\":\"6d78e911-10cf-4ad7-bf8b-9ff1d470d363\",\"error_uri\":\"https://login.windows.net/error?code=700082\"}']"

}

Was this reply helpful? Yes No