Frequent re-authentication: requiring credentials to be entered again (popup window) or app is losing credentials
If you encounter an error such as the below...
AADSTS70043: The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on 2025-10-13T12:59:49.3759371Z and the maximum allowed lifetime for this request is 1209600. Trace ID: ff48e226-9290-4ab8-8507-06e236b40600 Correlation ID: 8a36f5e5-5dcc-464b-8963-cfc66cae4fc0 Timestamp: 2025-10-28 03:47:45Z
The problem is that your IT admin requires an interactive login to refresh the token by policy.
To workaround this, you have a few options:
- Keep uninstalling, re-authenticating by clearing cache and then reinstalling the service at some frequency (a bit of a pain)
- If this is Microsoft Exchange or MsGraph: Ask your IT admin to relax the Conditional Access Policy in Microsoft Entra (Azure AD) Conditional Access. It’s set in Microsoft Entra (Azure AD) Conditional Access under the policy’s Session controls → Sign-in frequency. That 14-day limit you are hitting comes from whichever CA policy targets the Mail Attachment Downloader app and “modern authentication clients” (desktop & mobile). Even though the application is trying to refresh the refresh tokens silently without requiring you to reenter your credentials, the IT policy is telling it you can't — you must do an interactive sign-in once the SIF window elapses.
- (Recommended long-term) Use Custom Application Registration and configure the required permissions and scopes. This will require your IT admin to know how to do this. Your IT admin will then provide a Client ID, Client Secret and Tenant ID which you can then enter in the connection settings (Open Settings to the right of the Account dropdown on the main window -> then select Custom App Registration tab). These credentials usually will never expire and you won't have to re-enter credentials.