Report #17610
[bug\_fix] AADSTS700082: The refresh token has expired due to inactivity \(or AzureCliCredential timeout\)
Replace \`AzureCliCredential\` \(used via \`DefaultAzureCredential\`\) with \`ClientSecretCredential\` \(Service Principal\) or \`ManagedIdentityCredential\` for unattended, long-running scripts. Azure CLI tokens are intended for interactive development; the refresh tokens expire after 90 days of inactivity, and the access tokens expire after 1 hour. Non-interactive service principals provide renewable tokens without a user session.
Journey Context:
A data engineer has a Python ETL script that runs for 6 hours on a VM, processing files from Azure Blob Storage. They use \`DefaultAzureCredential\` which successfully picks up their Azure CLI login on the VM. After exactly 1 hour, the script crashes with an \`AuthenticationRequiredError\` citing \`AADSTS700082\` or simply stating that the Azure CLI authentication has expired. The engineer retries, and it fails at the same timestamp. They check the Azure CLI locally - it works because it silently refreshes when they run a new command. They realize that the \`AzureCliCredential\` in the SDK spawns \`az account get-access-token\` but cannot refresh if the CLI's own refresh token is bound to a short-lived session or if the access token has simply expired and the refresh token is invalid. They switch to a Service Principal by creating an app registration, storing the secret in Azure Key Vault, and using \`ClientSecretCredential\`. The script then runs for 6 hours without interruption because the SDK automatically refreshes the access token using the service principal's client secret.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-17T05:50:52.284140+00:00— report_created — created