Azure AD attributes are not updated in email signatures (OAuth tokens expired)

Problem:

Azure Active Directory attributes in the email signatures of your users are not synchronized with your Azure AD and, as a result, your signatures contain outdated user information. The CodeTwo Admin Panel shows a warning that your OAuth 2.0 access tokens have expired (Fig. 1.), and you receive an email notification from CodeTwo, asking you to refresh them.

768-1
Fig. 1. CodeTwo Admin Panel shows that OAuth 2.0 access tokens have expired.

Solution:

To keep Active Directory information in email signatures up to date, you need to refresh the OAuth 2.0 access tokens periodically in the CodeTwo Admin Panel (learn how to do that). Otherwise, the software is not able to read the values of users' attributes from your Azure AD and synchronize them with your email signatures. The access tokens can be valid up to 90 days, but the validation period depends on your organization's settings and can be shorter.

If your tokens expire very often (for example, every couple of days) or have expired unexpectedly, it might be caused by one of these factors:

  • the password for the admin account used to refresh tokens in the CodeTwo Admin Panel has been changed;
  • the authentication method for the admin account used to refresh tokens has changed, for example multi-factor authentication (MFA) has been enabled or disabled;
  • the security settings in your organization have changed;
  • your MFA service settings for trusted devices require users to re-authenticate very frequently. Read more below.

MFA service settings for trusted devices

If the Office 365 admin account used to refresh tokens in the CodeTwo Admin Panel uses multi-factor authentication, then the frequent expiration of access tokens may be related to the MFA service settings in your organization. Azure AD can remember authentication for a specified number of days before it prompts users to authenticate again (e.g. by performing a two-step verification). This time period is also the period in which access tokens can be used by our software before they need to be refreshed (token refreshing requires your admin to re-authenticate, as explained in the User's manual).

To check and manage your MFA service settings, you need to:

  1. Open the Azure portal and sign in as a global admin of your organization.

    Tip

    The next steps can also be performed in Azure Active Directory admin center, which has the same interface as the Azure portal, but the available options are limited to AD management only. You can access Azure AD admin center from your Microsoft 365 (Office 365) admin center, by choosing Admin centers > Azure Active Directory.

  2. Choose Azure Active Directory from the menu on the left and then click Users (Fig. 2.).

768-2
Fig. 2. Accessing the Azure AD settings for users.

  1. Click Multi-Factor Authentication (Fig. 3.).

768-3
Fig. 3. Opening the MFA settings.

  1. Select the service settings tab and go to the remember multi-factor authentication section (Fig. 4.).

768-4
Fig. 4. Managing MFA service settings for trusted devices.

  1. Check for how many days Azure AD remembers authentication in your organization - this period also indicates how often the CodeTwo software's access tokens are refreshed.
    Depending on your organization's settings, this section can be configured differently or may not be configured at all. If the checkbox is not selected, the access tokens are usually valid for 90 days (if this is your case, then the frequent/unexpected expiry of access tokens is probably caused by other factors). When you select the checkbox for the first time, the default value is 14 days.
  2. Modify the number of days, if necessary. For example, if the period is too short for you, you can increase it.

    Warning

    These settings are applied to all MFA-enabled users and have a direct influence on your organization's security.

  3. Save the changes.