Current State:

The Data Manager Entra ID (Azure AD) adapter authenticates with Microsoft Graph API using an OAuth access token obtained via a client secret. The access token has a default lifetime of 60 minutes (configurable up to a maximum in Azure, but often restricted by enterprise policies).
When importing large datasets (e.g., 400,000+ users), the adapter paginates through multiple Graph API calls using $skiptoken. If the total time to complete all paginated requests exceeds the access token's lifetime, the token expires mid-job and the import fails with:

InvalidAuthenticationToken — Lifetime validation failed, the token is expired.

The adapter does not currently support automatic token refresh — once the token expires, the job fails with no recovery mechanism.

Impact: Enterprise customers with large Azure AD directories (100k+ users) are unable to reliably complete Data Manager imports using the Entra ID adapter.

Proposed Future State:

The Data Manager Entra ID adapter should implement OAuth 2.0 token refresh support, specifically:

 1.  Before each paginated API call, check if the current access token is within a configurable threshold of expiry (e.g., <5 minutes remaining)
 2.  If expiring, automatically request a new access token using the stored client credentials (client ID + client secret) before proceeding
 3.  Continue the import job seamlessly without requiring manual intervention or job restart
 4.  Log token refresh events in the job execution log for transparency
This is a standard OAuth 2.0 pattern and aligns with how most enterprise integrations handle long-running API jobs.

Suggestions (e.g. Third Party Plugin):

1. Increase Azure access token lifetime via Token Lifetime Policy
2. Use CSV import instead of Entra ID adapter