Documentation Index

Fetch the complete documentation index at: https://docs.workspot.com/llms.txt

Use this file to discover all available pages before exploring further.

Error Code: 0xCAA20003

  • Published on Jun 15, 2026
  • 1 minute(s) read
  • AA
 Prev Next

Refresh Token Expired

Error Message

0xCAA20003 Authorization grant failed
AADSTS700082: The refresh token has expired due to inactivity

Root Cause

The BPRT token (refresh token) stored in Key Vault is expired or inactive.

From the message:

  • Token expired due to inactivity

  • Azure enforces refresh token lifetime rules

Why does this happen

Typical scenarios:

  • Token generated but not used for a long period

  • Token rotation has not been done

  • Old token still present in Key Vault

  • Pool provisioning stopped for weeks/months

👉 Azure invalidates token silently → failure during provisioning

Resolution

Regenerate BPRT token

  • Use PowerShell / WCD

  • Use the same provisioning account (Conditional Access policy excluded for MFA)

Update Key Vault

  • Replace existing secret value

  • Keep the same secret name

Reprovision VM

  • Validate join success

Validation

  • VM provisioning succeeds

  • No token errors in logs

  • Entra join completes

Key Takeaway

BPRT tokens expire due to inactivity — must be rotated proactively.

Related articles