When you unlock your Windows 11 or Windows 10 device after a period of inactivity, Copilot may display the error “AAD Refresh Token Revoked” and stop responding. This error means the authentication token that Copilot uses to connect to your Microsoft 365 tenant has been invalidated during the lock screen state. The issue typically stems from conditional access policies, token lifetime settings, or network connectivity changes that occur while the device is locked. This article explains why the token is revoked and provides specific steps to restore Copilot functionality after waking the device.
Key Takeaways: Fixing Copilot AAD Refresh Token Revoked on Lock Screen Wake
- Microsoft 365 admin center > Conditional Access > Policies: Check if policies require reauthentication after a lock screen event, which revokes the token.
- Windows lock screen > Sign out and sign back in: Forces a fresh token acquisition and clears the revoked token state for Copilot.
- Settings > Accounts > Access work or school > Disconnect and reconnect: Resets the Azure AD registration and token cache tied to Copilot.
Why Copilot Shows “AAD Refresh Token Revoked” After Lock Screen Wake
The error occurs because Copilot relies on an Azure Active Directory refresh token to maintain its connection to Microsoft 365 services. When you lock your device, the operating system may not keep the network session active, and conditional access policies or token lifetime limits can invalidate the token. Common triggers include:
Conditional Access Policies Requiring Reauthentication
Many organizations configure conditional access policies that require reauthentication after a period of inactivity. These policies may apply to all cloud apps, including Copilot. When the device is locked and then unlocked, the policy detects the inactivity gap and revokes the existing refresh token. Copilot cannot silently acquire a new token until the user signs in again.
Token Lifetime Exceeded During Lock Screen
Azure AD refresh tokens have a default lifetime of 90 days, but administrators can set shorter lifetimes through token lifetime policies. If the device remains locked for longer than the configured token lifetime, the refresh token expires. Upon unlock, Copilot attempts to use the expired token and receives the revocation error.
Network Disconnection While Locked
Windows may disconnect from the network after a period of inactivity to save power. When the device wakes, the network stack may not reinitialize fully before Copilot tries to validate its token. This incomplete reconnection can cause the token validation to fail, resulting in the revocation error.
Steps to Resolve Copilot AAD Refresh Token Revoked on Lock Screen Wake
Follow these steps in order to restore Copilot functionality. The first step resolves the issue in most cases without additional configuration.
Method 1: Sign Out and Sign Back Into Windows
- Sign out of Windows
Press Ctrl+Alt+Delete on your keyboard, then select Sign out. Wait for the sign-out process to complete. - Sign back in
On the lock screen, enter your credentials. This action forces Windows to acquire a fresh AAD refresh token for all apps, including Copilot. - Open Copilot
Press the Copilot key on your keyboard or click the Copilot icon in the taskbar. The error should no longer appear.
Method 2: Disconnect and Reconnect Your Work or School Account
If signing out does not resolve the error, reset the Azure AD registration for your device.
- Open Settings
Press Windows+I to open Settings. Navigate to Accounts > Access work or school. - Disconnect your account
Click your work or school account, then click Disconnect. Confirm the action when prompted. - Restart the device
Restart Windows to clear any cached tokens. - Reconnect the account
Go back to Settings > Accounts > Access work or school. Click Connect and sign in with your Microsoft 365 credentials. - Verify Copilot
Open Copilot and check if the error is gone.
Method 3: Adjust Conditional Access Policies (Admin Required)
If the error persists for multiple users, an administrator should review conditional access policies in the Microsoft 365 admin center.
- Open the Azure portal
Sign in to the Azure portal as a Global Administrator or Conditional Access Administrator. - Navigate to Conditional Access
Go to Azure Active Directory > Security > Conditional Access. - Review policies
Look for policies that target All cloud apps or Microsoft Copilot and have a session control requiring reauthentication after inactivity. - Modify the policy
Edit the policy to exclude Copilot from the reauthentication requirement, or set a longer inactivity timeout. Save the changes. - Test the fix
Lock and unlock a test device. Open Copilot to confirm the error no longer appears.
If Copilot Still Has Issues After the Main Fix
Copilot Shows the Error After Every Lock Screen Event
This pattern indicates a persistent token refresh problem. Check the Windows event logs for token-related errors. Open Event Viewer, navigate to Applications and Services Logs > Microsoft > Windows > AAD. Look for error event ID 1008 or 1010. These events point to a token acquisition failure. If found, run the following command in PowerShell as an administrator: dsregcmd /leave. Then restart and rejoin the device to Azure AD using dsregcmd /join.
Copilot Works Only After a Full Restart
If restarting the device resolves the error but locking and unlocking does not, the issue is likely a stale network session. Configure Windows to keep the network adapter active during sleep. Go to Control Panel > Power Options > Change plan settings > Change advanced power settings. Expand Sleep and set Allow wake timers to Enable. Expand Wireless Adapter Settings and set Power Saving Mode to Maximum Performance.
Error Occurs on Multiple Devices for the Same User
This suggests the user account itself has a corrupted token cache. In the Microsoft 365 admin center, go to Users > Active users. Select the affected user, then click Revoke sessions. This forces the user to sign in again on all devices. After revocation, have the user lock and unlock a device to trigger a fresh token acquisition for Copilot.
Copilot AAD Refresh Token Revoked vs Other Token Errors
| Item | AAD Refresh Token Revoked | Other Token Errors |
|---|---|---|
| Description | Token invalidated due to policy or inactivity | Token expired, malformed, or missing |
| Common trigger | Lock screen wake after inactivity | Manual sign-out, password change, or app update |
| Primary fix | Sign out and sign back into Windows | Reinstall Copilot or clear app cache |
| Admin action needed | Conditional Access policy review | Token lifetime policy adjustment |
| Persistence | Recurs on each lock screen event if policy is unchanged | Resolved after one-time token refresh |
The “AAD Refresh Token Revoked” error on lock screen wake is tied to conditional access policies and token lifetime limits. The error differs from other token failures because it recurs each time the device is locked and unlocked. Other token errors, such as “AADSTS70008,” occur after a password reset or when the token cache is corrupted and are resolved by a single sign-out action.
Now you can resolve the Copilot “AAD Refresh Token Revoked” error by signing out of Windows or disconnecting and reconnecting your work or school account. If the issue persists, ask your administrator to review conditional access policies targeting Microsoft Copilot. For recurring cases, use the dsregcmd /leave and dsregcmd /join commands to reset the Azure AD registration.