Entra ID (Azure AD) attributes are not updated in email signatures (OAuth tokens expired)
Problem:
Microsoft Entra ID (Azure Active Directory) attributes in the email signatures of your users are not synchronized with your Entra ID and, as a result, your signatures contain outdated user information. CodeTwo Admin Panel shows a warning that your OAuth 2.0 access tokens have expired (Fig. 1.), and you receive an email notification from CodeTwo, asking you to refresh them.
Fig. 1. CodeTwo Admin Panel shows that OAuth 2.0 access tokens have expired.
Solution:
Tip
To avoid synchronization- or token-related problems, we recommend that you use CodeTwo's Attributes manager instead. Our tool not only lets you edit and bulk edit Entra ID (Azure AD) attributes used in email signatures, disclaimers and auto replies, but also easily create custom ones that match your use cases. What's important, all the changes are applied instantly and do not affect your original Entra ID data because all the information is stored in CodeTwo Azure AD cache. Learn more
The OAuth 2.0 access tokens are set to not expire under normal circumstances. If your tokens expire regularly or have expired unexpectedly, it might be caused by one of these factors:
- the password for the global admin account used to manage your tenant in CodeTwo Admin Panel (or the global admin account used to previously refresh the access tokens) has been changed;
- the global admin account used to generate or refresh the access tokens has been deleted from your tenant;
Deleting global admin account vs removing global admin permissions
If you remove global admin permissions from a user who has previously generated or refreshed access tokens, those access tokens will not expire.
If you only need a user to generate/refresh tokens once, you can temporarily grant them global admin permissions. Once the tokens are generated/refreshed, you can remove the global admin permissions, and the tokens will continue to function as expected.
- the authentication method for that admin account has changed, for example multi-factor authentication (MFA) has been enabled or disabled;
- the security settings in your organization have changed;
- your MFA service settings for trusted devices require users to re-authenticate very frequently. Read more below.
To keep Entra ID (Azure AD) information in email signatures up to date, you need to refresh these tokens in CodeTwo Admin Panel (learn how to do that) every time they expire. Otherwise, the software is not able to read the values of users' attributes from your Entra ID and synchronize them with your email signatures.
MFA service settings for trusted devices
If the Microsoft 365 (Office 365) admin account used to refresh tokens in CodeTwo Admin Panel (by default, this is the global admin account that was used to register a Microsoft 365 tenant in Admin Panel, but it can be any other global admin of this tenant) uses multi-factor authentication, then the frequent expiration of access tokens may be related to the MFA service settings in your organization. Entra ID can remember authentication for a specified number of days before it prompts users to authenticate again (e.g. by performing a two-step verification). This time period is also the period in which access tokens can be used by our software before they need to be refreshed (token refreshing requires your admin to re-authenticate, as explained in the User's manual).
To check and manage your MFA service settings, you need to:
- Open the Azure portal and sign in as a global admin of your organization.
Tip
The next steps can also be performed in the Microsoft Entra admin center. To access it from your Microsoft 365 admin center, choose Admin centers > Identity.
- Choose Microsoft Entra ID from the menu on the left and then click Users (Fig. 2.).
Fig. 2. Accessing the settings for users.
- Click Per-user MFA (Fig. 3.).
Fig. 3. Opening the MFA settings.
- Select the service settings tab and go to the remember multi-factor authentication on trusted device section (Fig. 4.).
Fig. 4. Managing MFA service settings for trusted devices.
- Check for how many days Entra ID (Azure AD) remembers authentication in your organization - this period also indicates how often the CodeTwo software's access tokens are refreshed.
Depending on your organization's settings, this section can be configured differently or may not be configured at all. If the checkbox is not selected, the frequent/unexpected expiry of access tokens is probably caused by other factors. When you select the checkbox for the first time, the default value is 14 days. - Modify the number of days, if necessary. For example, if the period is too short for you, you can increase it.
Warning
These settings are applied to all MFA-enabled users and have a direct influence on your organization's security.
- Save the changes.
Related products: | CodeTwo Email Signatures for Office 365 1.x |
Categories: | Troubleshooting |
Last modified: | August 14, 2024 |
Created: | October 22, 2018 |
ID: | 768 |