Azure AD attributes are not updated in email signatures (OAuth tokens expired)

Problem:

Azure Active Directory attributes in the email signatures of your users are not synchronized with your Azure AD and, as a result, your signatures contain outdated user information. CodeTwo Admin Panel shows a warning that your OAuth 2.0 access tokens have expired (Fig. 1.), and you receive an email notification from CodeTwo, asking you to refresh them.

Fig. 1. CodeTwo Admin Panel shows that OAuth 2.0 access tokens have expired.

Solution:

The OAuth 2.0 access tokens are set to not expire under normal circumstances. If your tokens expire regularly or have expired unexpectedly, it might be caused by one of these factors:

• the password for the global admin account used to manage your tenant in CodeTwo Admin Panel (or the global admin account used to previously refresh the access tokens) has been changed;
• the authentication method for that admin account has changed, for example multi-factor authentication (MFA) has been enabled or disabled;
• the security settings in your organization have changed;
• your MFA service settings for trusted devices require users to re-authenticate very frequently. Read more below.

To keep Active Directory information in email signatures up to date, you need to refresh these tokens in CodeTwo Admin Panel (learn how to do that) every time they expire. Otherwise, the software is not able to read the values of users' attributes from your Azure AD and synchronize them with your email signatures.

MFA service settings for trusted devices

If the Microsoft 365 (Office 365) admin account used to refresh tokens in CodeTwo Admin Panel (by default, this is the global admin account that was used to register a Microsoft 365 tenant in Admin Panel, but it can be any other global admin of this tenant) uses multi-factor authentication, then the frequent expiration of access tokens may be related to the MFA service settings in your organization. Azure AD can remember authentication for a specified number of days before it prompts users to authenticate again (e.g. by performing a two-step verification). This time period is also the period in which access tokens can be used by our software before they need to be refreshed (token refreshing requires your admin to re-authenticate, as explained in the User's manual).

To check and manage your MFA service settings, you need to:

1. Open the Azure portal and sign in as a global admin of your organization.

   Tip

   The next steps can also be performed in the Microsoft Entra admin center, which has almost the same interface as the Azure portal, but the available options are limited to AD management only. You can access the Microsoft Entra admin center from your Microsoft 365 admin center, by choosing Admin centers > Azure Active Directory.

2. Choose Azure Active Directory from the menu on the left and then click Users (Fig. 2.).

Fig. 2. Accessing the Azure AD settings for users.

3. Click Per-user MFA (Fig. 3.).

Fig. 3. Opening the MFA settings.

4. Select the service settings tab and go to the remember multi-factor authentication on trusted device section (Fig. 4.).

Fig. 4. Managing MFA service settings for trusted devices.

5. Check for how many days Azure AD remembers authentication in your organization - this period also indicates how often the CodeTwo software's access tokens are refreshed.
   Depending on your organization's settings, this section can be configured differently or may not be configured at all. If the checkbox is not selected, the frequent/unexpected expiry of access tokens is probably caused by other factors. When you select the checkbox for the first time, the default value is 14 days.
6. Modify the number of days, if necessary. For example, if the period is too short for you, you can increase it.

   Warning

   These settings are applied to all MFA-enabled users and have a direct influence on your organization's security.

7. Save the changes.