Microsoft Teams Graph OAuth token always expires in one hour
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-13-2025 10:43 AM
I'm trying to set up the teams and teams graph spokes. When I set up the teams spoke and use my oauth access token, it shows it will expire in three month, just like I set.
When I use the same token in the Teams Graph, it tells me it will expire in one hour. I've been looking for a reason, but can't seem to find one. Any idea why this might happen?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-13-2025 10:57 AM
Hi Garrett,
The difference in token expiration times between the Teams Spoke and Teams Graph Spoke likely comes from how the authentication flow is set up for each integration. Here’s why this might be happening:
1. Token Types and Expiration Differences
Teams Spoke Token (3-month expiration)
Likely using a client credentials flow (app-only authentication).
These tokens typically last for a long period (up to 90 days).
Used for bot interactions, sending messages, or other automation within Teams.
Teams Graph Spoke Token (1-hour expiration)
Likely using an OAuth 2.0 authorization code flow (delegated authentication).
These tokens are usually short-lived (1 hour) but can be refreshed with a refresh token.
Needed when performing user-specific actions (e.g., reading messages, accessing user calendars).
2. Why is the Graph Spoke Token Expiring in 1 Hour?
Microsoft Graph API follows stricter OAuth policies compared to Teams Spoke.
By default, Graph API access tokens issued via OAuth expire in 1 hour.
Microsoft provides a refresh token that can be used to get a new access token.
The application’s OAuth settings might enforce shorter expiration times for security reasons.
3. How to Fix or Work Around It
Option 1: Enable Token Refresh
In your OAuth setup for Teams Graph Spoke, ensure you are also storing and using the refresh token.
When the access token expires, use the refresh token to get a new one automatically.
Option 2: Use Client Credentials Flow (If Possible)
If you don’t need user-specific actions, try switching the Graph API to use client credentials flow, similar to Teams Spoke.
This will give you a longer-lived token.
Option 3: Extend the Token Lifetime in Azure AD
Check your Azure AD App Registration settings.
Under Authentication → Access Token Lifetimes, see if policies are enforcing a strict 1-hour limit.
If possible, modify the policy to allow longer expiration times.
Option 4: Debug Token Policies
Run the following command in PowerShell (Azure CLI) to check your token policies:
Get-AzureADPolicy
Look for any policies related to token expiration and refresh settings.
Conclusion
The Teams Spoke token lasts longer because it’s likely using app-only authentication.
The Graph Spoke token expires in 1 hour because it follows delegated authentication rules.
To fix it, either enable automatic token refresh or switch to client credentials flow if possible.
Kindly mark it as "Accepted Solution"/"helpful", as it resolves your query. Please press like button for the resolution provided.
With Regards,
Krishna Kumar M - Talk with AIT3ch
LinkedIn: https://www.linkedin.com/in/mkrishnak4/
YouTube: https://www.youtube.com/@KrishAIT3CH
Topmate: https://topmate.io/mkrishnak4 [ Connect for 1-1 Session]
