Report #7776
[bug\_fix] AADSTS700082: The refresh token has expired due to inactivity. The token was issued on \[date\] and was inactive for 90 days
Run \`az account clear\` to purge the corrupted MSAL token cache, then run \`az login\` to re-authenticate all tenants and obtain fresh refresh tokens compliant with the tenant's conditional access policies.
Journey Context:
A developer is using Azure CLI to deploy Bicep templates to a subscription in Tenant A \(their corporate tenant\). Yesterday, they used the same terminal session to query resources in Tenant B \(a customer tenant\) using \`az account set --subscription\` followed by \`az resource list\`. This morning, running \`az deployment group create\` fails with 'AADSTS700082: The refresh token has expired due to inactivity'. The developer attempts \`az account list\` and sees both tenants listed, but any ARM API call to Tenant B fails with the same error. Investigating \`~/.azure/\`, they find \`msal\_token\_cache.json\` \(or \`accessTokens.json\` in older CLI versions\) contains a refresh token for Tenant B with a \`cached\_at\` timestamp from 95 days ago. The issue arises because Azure AD's token lifetime policies \(configurable by tenant admins\) often limit refresh token inactivity to 90 days. When the CLI attempts to silently acquire a token for Tenant B using the cached refresh token, Azure AD rejects it. The CLI's MSAL layer does not automatically fall back to interactive login for secondary tenants when the primary tenant token is still valid. The fix works because \`az account clear\` deletes \`msal\_token\_cache.json\` and \`azureProfile.json\`, forcing the Microsoft Authentication Library \(MSAL\) to initiate fresh interactive authentication flows for all tenants, obtaining new refresh tokens that reset the inactivity timer.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T03:42:27.983777+00:00— report_created — created