We're reclaiming inactive PDIs to keep them available for active builders. Learn what's changing, who's affected, and how to protect your work. Read More

Azure OAuth Refresh Token Not Renewing Automatically

NagaR1940402706
Tera Contributor

Our ServiceNow instance uses Azure OAuth 2.0 for both inbound IMAP and outbound SMTP email processing.

We have observed that access tokens are being renewed automatically, however, the refresh token is not being renewed or rotated after expiry, even though the offline_access scope is added in the OAuth Entity Profile.

Please help identify if any additional Azure or ServiceNow configuration is required to support automatic refresh token renewal.

 

@Tanushree Maiti  @Ankur Bawiskar 

12 REPLIES 12

Hi Naga,

Not necessarily. The access token working only proves that the current token is still valid or that ServiceNow can obtain a new access token with the refresh token it already has. It does not prove that Azure will issue a new refresh token every time.

For Azure / Entra ID, I would check this from two sides:

  1. Does the token endpoint response actually include a new refresh_token during refresh?
  2. If it does, is ServiceNow replacing the stored managed token value with the new one?
  3. If it does not, then this is controlled by the Microsoft identity platform / tenant policy / consent flow, not by the ServiceNow access token logic.

Things I would ask the Azure team to verify:

  • The original authorization included offline_access and admin/user consent was actually granted.
  • The app registration platform type is correct for this integration, preferably Web/confidential client rather than SPA-style behavior.
  • Conditional Access or sign-in frequency policies are not forcing refresh token expiry/re-authentication.
  • The refresh token has not been revoked by password reset, consent revocation, app change, user risk policy, or mailbox/account policy.
  • Entra sign-in logs for the token refresh attempt show success/failure details.

On the ServiceNow side, check the OAuth token/managed token record timestamps and expiry values. If the refresh token is already expired or revoked, ServiceNow cannot magically renew it; the integration has to be re-authorized. If you cannot delete the PROD token safely, the safer path is to reproduce this in a lower environment or create a parallel test OAuth profile/app registration/mailbox and validate the authorization flow there first.

So your assumption is correct: a totally wrong app configuration would often break access token generation too. But refresh-token rotation/renewal can still fail independently because it depends on offline_access consent, refresh-token lifetime/revocation policy, and whether Azure returns a replacement refresh token during the refresh flow.

NagaR1940402706
Tera Contributor

@Tanushree Maiti  is there anything wrong here?

NagaR1940402706_0-1781890765739.png

 

Please verify both screenshots @Tanushree Maiti 

NagaR1940402706_1-1781890932533.png