Renewing Expired Tokens
When you are unable to login to Azure using Microsoft 365 token authentication then it is most likely that your token has expired. The procedure below describes how to renew an expired token. The following figures show example expired token messages.
The dbo.MsalError table can be found in SQL Studio, under the SysAdminTenant database. It can be sorted by "Id desc" to view the most recent MsalErrors.
| ➢ | To renew expired tokens: |
| 1. | In the Multitenant interface, open the Authentication Status page (Security menu > Authentication Status) to determine which tenants have expired Tokens (see Authentication Status). |
| 2. | In the Multitenant portal Tenants screen, select the SysAdmin link under the tenant whose token you wish to renew. |
| 3. | In the Customer portal Navigation pane, select Configuration > M365 Configuration. |
| 4. | Click Switch to auth token. |
| 5. | An email pop-up window is displayed. Enter the email address to send the token invitation ( this does not have to be a real email address). |
| 6. | Click OK to send the invitation to the tenant. |
| 7. | In the Multitenant portal, navigate to the Customer Invitations screen (Monitoring > Customer > Pending Invitations). |
| 8. | Click Auth URL. |
| 9. | Click the clipboard icon to copy the link. Send the link to the customer to begin the Onboarding process. The customer can then paste the link in a new Incognito/private browser window. |
| 10. | Ensure that the correct email is populated in the M365 admin username and then click Start authentication. |
| 11. | Copy the Code using the clipboard button. |
| 12. | Click the Microsoft hyperlink to start the Login Authentication process. |
| 13. | Paste the code you previously copied. |
| 14. | Enter in the credentials of the account that was loaded at the beginning of the process. This is also the account that is loaded in the Microsoft 365 Settings page menu page. |
If the Enterprise Application in the customer’s Azure environment was not deleted (is still present), then the below windows will appear, and the Permissions requests will not be triggered.
If the Enterprise Application was deleted, then the Permissions requested will appear. See below.
| 15. | Click the check box Consent on behalf of your organization. |
The customer account must have Global Administrator role for this check box to appear. The role can be removed after the token onboarding has completed.
| 16. | Click here to continue the authentication process. |
| 17. | Sign in with the same customer IT administrator account used throughout this process. |
The customer account must have Global Administrator role for this check box to appear. The role can be removed after the token onboarding has completed.
| 18. | When you see this window, return to the original Onboarding window, you will see the “All tokens acquired! You can close this page now.” |
| 19. | Return to the Microsoft 365 Settings page in the Customer portal. |
| 20. | Click Validate Authentication. |
Once successfully validated, the green banner is displayed.
