Report #17390
[bug\_fix] AADSTS700082: The refresh token has expired due to inactivity
Run \`az login\` interactively to obtain a new refresh token, or switch the application to use a Service Principal with client credentials \(client secret or certificate\) or Managed Identity, which do not use refresh tokens subject to inactivity expiration.
Journey Context:
A developer has a Python script running on a local server that uses the \`AzureCliCredential\` from \`azure-identity\` to pull data from Azure Key Vault nightly via a scheduled cron job. The script works flawlessly for three months. Suddenly, it starts failing with \`CredentialUnavailableError\` wrapping \`AADSTS700082: The refresh token has expired due to inactivity\`. The developer checks the Azure CLI cache \(\`~/.azure/msal\_token\_cache.json\`\) and sees tokens are present. They manually run \`az keyvault secret show\` and it works because the CLI auto-refreshes the token interactively. However, the Python SDK's \`AzureCliCredential\` relies on the CLI's token cache but cannot trigger an interactive login if the refresh token itself is expired. The developer realizes the script had been accidentally disabled for 95 days during an organizational freeze, causing the refresh token to expire due to inactivity per Azure AD policy. They run \`az login\` manually to refresh the token cache. To prevent recurrence, they refactor the script to use \`DefaultAzureCredential\` with a Service Principal configured via environment variables \(\`AZURE\_CLIENT\_ID\`, \`AZURE\_TENANT\_ID\`, \`AZURE\_CLIENT\_SECRET\`\), which uses the client credentials flow and does not involve refresh tokens, or they migrate the script to an Azure VM with a Managed Identity attached, eliminating the dependency on cached user tokens entirely.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-17T05:16:51.123398+00:00— report_created — created