Accounts can become stopped or invalid due to the refresh token or the password being invalid.
Refresh tokens can be invalidated by several events such as:
- User's password has changed since the refresh token was issued.
- An administrator can apply conditional access policies that restrict access to resources.
To determine what is causing tokens to be revoked the mail administrator needs to:
- If using O365 / Azure, go to Monitor > Logins - this will inform them why access was revoked.
- Typically there will be a conditional access policy. Ask the mail admin to create a policy for your application that is NOT restrictive and has long session timeouts.