Device Code Flow - Microsoft Azure Authentication

What is the duration of the token we get when authenticating to Azure resources using Device Code Flow: https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-acquire-token-device-code-flow?tabs=dotnet.

Is there a "refresh token" that we can activate after the first one expires? If so, is the refresh token activated behind the scenes, or should I manually activate it (and how)?

I created an Azure AD Application and enabled the mobile and desktop flows:

I used the below Python code to generate the access token to authenticate Microsoft Graph API for sample:

import msal

config = {
    "client_id": "ClientID",
    "authority": "https://login.microsoftonline.com/TenantID",
    "scope": ["User.Read"],
}
app = msal.PublicClientApplication(
    config["client_id"], authority=config["authority"],
    token_cache=msal.SerializableTokenCache(),
)

result = None

# First, try to get a token from the cache.
accounts = app.get_accounts()
if accounts:
    # Use the first account to acquire a token silently.
    result = app.acquire_token_silent(config["scope"], account=accounts[0])

if not result:
    # If a token is not available in the cache, use the device flow to acquire a new token.
    flow = app.initiate_device_flow(scopes=config["scope"])
    print(flow["message"])
    result = app.acquire_token_by_device_flow(flow)

# Use the access token to call the Microsoft Graph API.
if "access_token" in result:
    access_token = result["access_token"]
    print(access_token)
else:
    error = result.get("error")
    if error == "invalid_client":
        print("Invalid client ID.Please check your Azure AD application configuration")
    else:
        print(error)

And is there a "refresh token" that we can activate after the "initial token" reaches expiration? If so, is the refresh token activated behind the scenes, or should I explicitly activate it in the code?

Note that: Azure AD MSAL refreshes the token automatically when the access token is about to expire. Refer this MsDoc.

• MSAL stores the refresh token in cache. Hence you can make use of token cache to refresh the token automatically.

#check the cache to see whether we already have some accounts that the end user already used to sign in before.
accounts = app.get_accounts()
if accounts:
    # If so, you could then somehow display these accounts and let end user choose
    print("Pick the account you want to use to proceed:")
    for a in accounts:
        print(a["username"])
    # Assuming the end user chose this one
    chosen = accounts[0]
    # Now let's try to find a token in cache for this account
    result = app.acquire_token_silent(["User.Read"], account=chosen)

• If you are not making use of MSAL then you must make use of acquire_token_by_refresh_token() method to refresh the access token.
• If you are using MSAL, when you call acquire_token_silent(), a new access token can be retrieved because MSAL automatically maintains refresh token inside of its token cache.

References:

Microsoft Authentication Library (MSAL) for Python

MSAL Python 1.23.0 documentation (msal-python.readthedocs.io)