Azure AD attributes are not updated in email signatures (OAuth tokens expired)
Azure Active Directory attributes in the email signatures of your users are not synchronized with your Azure AD and, as a result, your signatures contain outdated user information. The CodeTwo Admin Panel shows a warning that your OAuth 2.0 access tokens have expired (Fig. 1.), and you receive an email notification from CodeTwo, asking you to refresh them.
- the password for the global admin account used to manage your tenant in the CodeTwo Admin Panel (or the global admin account used to previously refresh the access tokens) has been changed;
- the authentication method for that admin account has changed, for example multi-factor authentication (MFA) has been enabled or disabled;
- the security settings in your organization have changed;
- your MFA service settings for trusted devices require users to re-authenticate very frequently. Read more below.
To keep Active Directory information in email signatures up to date, you need to refresh these tokens in the CodeTwo Admin Panel (learn how to do that) every time they expire. Otherwise, the software is not able to read the values of users' attributes from your Azure AD and synchronize them with your email signatures.
If the Office 365 admin account used to refresh tokens in the CodeTwo Admin Panel (by default, this is the global admin account that was used to register the Office 365 tenant in the Admin Panel, but it can be any other global admin of this tenant) uses multi-factor authentication, then the frequent expiration of access tokens may be related to the MFA service settings in your organization. Azure AD can remember authentication for a specified number of days before it prompts users to authenticate again (e.g. by performing a two-step verification). This time period is also the period in which access tokens can be used by our software before they need to be refreshed (token refreshing requires your admin to re-authenticate, as explained in the User's manual).
To check and manage your MFA service settings, you need to:
- Open the Azure portal and sign in as a global admin of your organization.
The next steps can also be performed in Azure Active Directory admin center, which has the same interface as the Azure portal, but the available options are limited to AD management only. You can access Azure AD admin center from your Microsoft 365 (Office 365) admin center, by choosing Admin centers > Azure Active Directory.
- Choose Azure Active Directory from the menu on the left and then click Users (Fig. 2.).
- Click Multi-Factor Authentication (Fig. 3.).
- Select the service settings tab and go to the remember multi-factor authentication section (Fig. 4.).
- Check for how many days Azure AD remembers authentication in your organization - this period also indicates how often the CodeTwo software's access tokens are refreshed.
Depending on your organization's settings, this section can be configured differently or may not be configured at all. If the checkbox is not selected, the frequent/unexpected expiry of access tokens is probably caused by other factors. When you select the checkbox for the first time, the default value is 14 days.
- Modify the number of days, if necessary. For example, if the period is too short for you, you can increase it.
These settings are applied to all MFA-enabled users and have a direct influence on your organization's security.
- Save the changes.