Background: I'm leveraging VBA code in Microsoft Access to generate a DSNless approach to creating linked tables to an Azure SQL Database. Cutting edge stuff /s. This works quite well for all my users except that the security team has put in a Microsoft Entra conditional access policy that forces them to re-login with MFA every 4 hours and won't budge about it.
For the connection string, I use the following pattern:
connectionString = "ODBC;Description=SqlServer;" & _
"DRIVER={ODBC Driver 17 for SQL Server}; " & _
"SERVER=tcp:" & svrName & ",1433; " & _
"DATABASE=" & dbName & "; " & _
"Authentication=ActiveDirectoryInteractive; " & _
"UID=" & userEmail & ";"
After the 4 hour period has elapsed, the following error starts to appear:
AADSTS70043: The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on 2025-02-08T22:49:01.5679772Z and the maximum allowed lifetime for this request is 14400. Trace ID: 2a0f4a74-30dc-49b4-b837-d62573b51200 Correlatio Microsoft OLE DB Provider for ODBC Drivers -2147467259
When trying to reconnect, Access then seems to get caught in a loop where these windows (show in the screenshot below) continue to pop-up in a seemingly endless cycle (which I believe is a pop-up per table connection).
Things I've tried and have not worked:
- "Compact and Repair Database"
- Variations of the Authentication types shown in the MS docs for Using Entra with the ODBC Driver for SQL Server
- Upgrading to use the SQL Server 18 ODBC Driver.
- Using "Refresh" or "Relink" for all the tables.
I could switch to using a account with SQL Authentication but the security team is pushing back because it's not best security practice and I'll have that tough conversation if I really have to and can't solve this via the AD route.
However, I am very surprised the ODBC driver isn't taking care of using the refresh token to get a new access token for the connection behind the scenes. I would rather not set up my own custom VBA oAuth process to generate this token.
Question: How could I force Access to "forget" about it's current oAuth access and refresh token pairs so it could prompt the MFA login over again and get new token values without users having to close and reopen the application?