|
| 1 | +--- |
| 2 | +title: Error code AADSTS50173 - The Provided Grant Has Expired Due to it Being Revoked |
| 3 | +description: Discusses how to handle a situation in which a user receives an AADSTS50173 error when trying to sign in to an application. |
| 4 | +author: custorod |
| 5 | +ms.author: custorod |
| 6 | +ms.reviewer: joaos |
| 7 | +ms.service: entra-id |
| 8 | +ms.topic: troubleshooting-problem-resolution |
| 9 | +ms.date: 02/21/2025 |
| 10 | +ms.subservice: authentication |
| 11 | +ms.custom: sap:Issues signing in to applications |
| 12 | +--- |
| 13 | + |
| 14 | +# Error AADSTS50173 - The provided grant has expired due to it being revoked |
| 15 | + |
| 16 | +## Symptoms |
| 17 | + |
| 18 | +When users try to sign in to an application that uses Microsoft Entra ID authentication, they receive the following error message: |
| 19 | + |
| 20 | +> `AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '{authTime}' and the TokensValidFrom date (before which tokens are not valid) for this user is '{validDate}'.` |
| 21 | +
|
| 22 | + |
| 23 | +## Cause |
| 24 | + |
| 25 | +This error occurs if the refresh token that's used for authentication is revoked. This issue occurs if: |
| 26 | + |
| 27 | +- The user changes or resets their password. |
| 28 | +- The refresh token expires. |
| 29 | +- An administrator revokes the refresh token. |
| 30 | + |
| 31 | +For more information, see: |
| 32 | + |
| 33 | +- [Refresh tokens in the Microsoft identity platform](/entra/identity-platform/refresh-tokens#token-revocation) |
| 34 | +- [Revoke user access in Microsoft Entra ID](/entra/identity/users/users-revoke-access) |
| 35 | + |
| 36 | +## Resolution |
| 37 | + |
| 38 | +To resolve this issue, follow the applicable steps. |
| 39 | + |
| 40 | +### For users |
| 41 | + |
| 42 | +On the application that experiences the issues, try to locate an option to reauthenticate or clear any cached token information. You can also perform these actions by signing out and signing back in to the application (if this step is applicable or available). |
| 43 | + |
| 44 | +### For application developers |
| 45 | + |
| 46 | +If the application is using [Microsoft Authentication Library (MSAL)](/entra/identity-platform/msal-overview), follow [this guidance to handle errors and exceptions in MSAL](/entra/msal/dotnet/advanced/exceptions/msal-error-handling). |
| 47 | + |
| 48 | +If the application isn't using [Microsoft Authentication Library (MSAL)](/entra/identity-platform/msal-overview), follow this guidance to [handle errors and exceptions in MSAL](/entra/msal/dotnet/advanced/exceptions/msal-error-handling), and try to implement a similar approach on the application. The goal is to request that the user reauthenticate and obtain a fresh token. |
| 49 | + |
| 50 | +## More information |
| 51 | + |
| 52 | +For a full list of authentication and authorization error codes, see [Microsoft Entra authentication and authorization error codes](/entra/identity-platform/reference-error-codes). |
| 53 | + |
| 54 | +To investigate individual errors, go to [https://login.microsoftonline.com/error](https://login.microsoftonline.com/error). |
0 commit comments