Introduction
Password resets, MFA prompts, and user deactivation can feel like a full stop, but in Azure AD the real gap lies elsewhere. Once the directory issues a refresh token, it remains valid for hours or days, letting anyone who steals it silently generate new access tokens with the user’s privileges. No password, no MFA challenge, no interactive sign‑in.
This blog explains how refresh‑token replay works, shows the entire flow from a terminal window, and maps out the steps defenders must take to shut it down.
What Are Refresh Tokens and Why Are They Dangerous?
A refresh token is a long-lived credential issued by Azure AD during an OAuth 2.0 sign-in. It allows clients to silently request new access tokens without requiring the user to re-enter credentials or complete MFA again. These tokens typically live from 24 hours to 90 days, depending on the client type and tenant policy, and are stored locally in MSAL caches, browser IndexedDB, or mobile keychains. They remain valid until Azure explicitly revokes or rotates them.
This persistence poses a risk, if an attacker steals a refresh token, they can continue generating new access tokens and maintain access, often without detection. Revocation is a recommendation, meaning the token stays valid until Azure sees and invalidates it.
Standard defenses like password resets are often ineffective. Unless sessions are explicitly revoked by an administrator, stolen refresh tokens remain active. Even disabling or deleting a user doesn't always help immediately, Azure may allow a final token redemption, giving attackers just enough time to regain access and re-establish persistence.
Real World Example
Microsoft’s incident response teams regularly observe adversaries dumping browser caches or token storage on compromised endpoints, then replaying those refresh tokens to harvest Microsoft Graph data.
In a 2024 breach at a manufacturing company, the attacker initially lost access when the incident response team reimaged compromised laptops. However, a single overlooked browser token allowed the attacker to return days later and exfiltrate mailboxes using unattended Graph API calls.
Real Attack Flow Example
1. Initial token theft - Attacker grabs %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Cookies (or the MSAL cache at %USERPROFILE%\.azure\msal_token_cache.json) and extracts a refresh token tied to login.microsoftonline.com.
2. Redeem the stolen refresh token - the attacker can run from any machine:
curl -X POST \
https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=<PUBLIC_CLIENT_ID>" \
-d "scope=https%3A%2F%2Fgraph.microsoft.com%2F.default" \
-d "refresh_token=<STOLEN_REFRESH_TOKEN>" \
-d "grant_type=refresh_token"
Azure returns a new access token plus a new refresh token, extending the attacker’s window.
3. Impersonate the user:
az rest -m GET \
-u https://graph.microsoft.com/v1.0/me/messages?$top=10 \
--headers "Authorization=Bearer <ACCESS_TOKEN>"
4. Persistence after offboarding: Even if the account is disabled, the already‑issued refresh token often remains valid for up to one hour (default Continuous Access Evaluation window) or until token revocation completes
Detection & Mitigation
- Revoke Refresh Tokens on Offboarding - Run az ad user revoke-sign-in-sessions --id <UPN> (or set an automated Playbook) the moment you disable or delete an account
- Audit refresh-token grants - In Entra ID Sign-In Logs, filter where Grant_Type = Refresh Token and UserAccountEnabled = false. Any hits after a user is disabled signal a replay attempt.
- Shorten token lifetimes for sensitive roles - Apply an Authentication Session policy or Conditional Access session control that sets Sign-in frequency = 8 hours (or less) for Global Admins, owners, and Tier 0 assets. A shorter lifetime limits an attacker’s window even if they obtain a token.
- Enable Continuous Access Evaluation (CAE) - Turn on CAE tenant-wide. CAE forces Azure to revalidate tokens immediately on high-risk events like password reset, user disablement, or location change, closing the default one-hour grace period.
- Hunt for non-interactive Graph abuse - Query for Cloud Apps or your Graph logs for large volumes of requests from the AzureAD OAuth user agent or unusual IP ranges. Focus on endpoints such as /users, /messages, /drive/root, and /sites/root.
- Apply service-level controls - For Microsoft 365 workloads, enable Client App Enforced Restrictions and Conditional Access App Control to block downloads when access is non-interactive or when the session is risky.
Conclusion
Refresh tokens are intended to enhance user experience, but in the hands of an attacker, they act as a quiet skeleton key, hard to detect, bypassing MFA, and difficult to expire. Without proactive revocation and thorough log monitoring, disabling the compromised account may appear to solve the issue while the adversary remains active in your cloud environment.
Enforcing stricter session policies, enabling Continuous Access Evaluation (CAE), and revoking tokens during offboarding help bridge the gap between account deactivation and truly cutting off access.
Cyngular Security's CIRA Platform
To further secure your cloud environment, consider integrating Cyngular Security's CIRA platform. It enhances your security posture by providing advanced investigation and response capabilities, enabling your team to address threats swiftly and effectively. By adopting Cyngular Security's CIRA, you empower your organization with proactive and automated security measures that protect your cloud assets.
Get a Free Breach Assessment
Protect your cybersecurity infrastructure with a complimentary breach assessment from Cyngular:
- Safe and Non-disruptive: Conducted with read-only access to ensure no operational disruption.
- Easy Setup: Integrates seamlessly with your existing SIEM systems.
- Deep Insights: Empowers your cybersecurity strategy with advanced threat hunting and proactive investigation capabilities.
Request your free Proof-of-Value today and lead the way in cybersecurity innovation with Cyngular.