Report #16251
[bug\_fix] Azure CLI refresh token expired: 'AADSTS700082: The refresh token has expired due to inactivity'
Run \`az login\` again to perform an interactive authentication and obtain a new refresh token. The root cause is that Azure AD \(Entra ID\) refresh tokens have a sliding window expiration policy: single-factor tokens expire after 90 days of inactivity by default \(configurable by tenant admins\), and MFA tokens can expire sooner \(e.g., 24 hours in some configurations\). Once the refresh token expires, the Azure CLI cannot silently acquire new access tokens, forcing re-authentication.
Journey Context:
Developer uses Azure CLI daily for weeks to manage resource groups. They have scripts that run \`az group list\` in cron jobs or local automation. One day, the scripts fail with 'AADSTS700082: The refresh token has expired due to inactivity. The token was issued on \[date 90 days ago\] and was inactive for 90 days'. The developer tries running \`az account list\` which shows their subscription, making them think they are logged in. However, when they try \`az group list\`, it fails. They check \`~/.azure/\` directory and see \`accessTokens.json\` and \`refreshTokens.json\` \(or the newer MSAL cache files\). They see the refresh token has an expiry date in the past. They search the error code and find Microsoft Learn documentation explaining the 90-day sliding window for refresh tokens. Realizing they haven't done an interactive \`az login\` in three months \(the silent token refresh via the cron jobs doesn't count as 'activity' for the refresh token itself in this context\), they run \`az login\`, complete the device code flow or browser auth, and the new refresh token allows their scripts to work for another 90 days.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-17T02:15:21.555203+00:00— report_created — created