diff --git a/plugin/azure_active_directory/src/AzureActiveDirectory.php b/plugin/azure_active_directory/src/AzureActiveDirectory.php
index f3467cebea..88f1e079ab 100644
--- a/plugin/azure_active_directory/src/AzureActiveDirectory.php
+++ b/plugin/azure_active_directory/src/AzureActiveDirectory.php
@@ -213,7 +213,7 @@ class AzureActiveDirectory extends Plugin
      * @throws Exception
      */
     public function registerUser(
-        AccessTokenInterface $token,
+        AccessTokenInterface &$token,
         Azure $provider,
         array $azureUserInfo,
         string $apiGroupsRef = 'me/memberOf',
@@ -319,7 +319,7 @@ class AzureActiveDirectory extends Plugin
      * @throws Exception
      */
     private function formatUserData(
-        AccessTokenInterface $token,
+        AccessTokenInterface &$token,
         Azure $provider,
         array $azureUserInfo,
         string $apiGroupsRef,
@@ -378,7 +378,7 @@ class AzureActiveDirectory extends Plugin
      * @throws Exception
      */
     private function getUserRoleAndCheckIsAdmin(
-        AccessTokenInterface $token,
+        AccessTokenInterface &$token,
         Azure $provider,
         string $apiRef = 'me/memberOf',
         string $groupObjectIdKey = 'objectId'
diff --git a/plugin/azure_active_directory/src/AzureCommand.php b/plugin/azure_active_directory/src/AzureCommand.php
index 18ecc04284..6ebd9ded2b 100644
--- a/plugin/azure_active_directory/src/AzureCommand.php
+++ b/plugin/azure_active_directory/src/AzureCommand.php
@@ -2,6 +2,8 @@
 
 /* For license terms, see /license.txt */
 
+use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
+use League\OAuth2\Client\Token\AccessTokenInterface;
 use TheNetworg\OAuth2\Client\Provider\Azure;
 
 class AzureCommand
@@ -21,4 +23,19 @@ class AzureCommand
         $this->plugin->get_settings(true);
         $this->provider = $this->plugin->getProviderForApiGraph();
     }
+
+    /**
+     * @throws IdentityProviderException
+     */
+    protected function getToken(?AccessTokenInterface $currentToken = null): AccessTokenInterface
+    {
+        if (!$currentToken || ($currentToken->getExpires() && !$currentToken->getRefreshToken())) {
+            return $this->provider->getAccessToken(
+                'client_credentials',
+                ['resource' => $this->provider->resource]
+            );
+        }
+
+        return $currentToken;
+    }
 }
diff --git a/plugin/azure_active_directory/src/AzureSyncUsergroupsCommand.php b/plugin/azure_active_directory/src/AzureSyncUsergroupsCommand.php
index 6677683596..26a6215d1c 100644
--- a/plugin/azure_active_directory/src/AzureSyncUsergroupsCommand.php
+++ b/plugin/azure_active_directory/src/AzureSyncUsergroupsCommand.php
@@ -15,10 +15,7 @@ class AzureSyncUsergroupsCommand extends AzureCommand
     {
         yield 'Synchronizing groups from Azure.';
 
-        $token = $this->provider->getAccessToken(
-            'client_credentials',
-            ['resource' => $this->provider->resource]
-        );
+        $token = $this->getToken();
 
         foreach ($this->getAzureGroups($token) as $azureGroupInfo) {
             $usergroup = new UserGroup();
@@ -80,6 +77,8 @@ class AzureSyncUsergroupsCommand extends AzureCommand
         );
 
         do {
+            $token = $this->getToken($token);
+
             try {
                 $azureGroupsRequest = $this->provider->request('get', "groups?$query", $token);
             } catch (Exception $e) {
@@ -121,6 +120,8 @@ class AzureSyncUsergroupsCommand extends AzureCommand
         $hasNextLink = false;
 
         do {
+            $token = $this->getToken($token);
+
             try {
                 $azureGroupMembersRequest = $this->provider->request(
                     'get',
diff --git a/plugin/azure_active_directory/src/AzureSyncUsersCommand.php b/plugin/azure_active_directory/src/AzureSyncUsersCommand.php
index 3e3cf3b11a..6bfed0b792 100644
--- a/plugin/azure_active_directory/src/AzureSyncUsersCommand.php
+++ b/plugin/azure_active_directory/src/AzureSyncUsersCommand.php
@@ -15,15 +15,14 @@ class AzureSyncUsersCommand extends AzureCommand
     {
         yield 'Synchronizing users from Azure.';
 
-        $token = $this->provider->getAccessToken(
-            'client_credentials',
-            ['resource' => $this->provider->resource]
-        );
+        $token = $this->getToken();
 
         $existingUsers = [];
 
         foreach ($this->getAzureUsers($token) as $azureUserInfo) {
             try {
+                $token = $this->getToken($token);
+
                 $userId = $this->plugin->registerUser(
                     $token,
                     $this->provider,
@@ -95,8 +94,14 @@ class AzureSyncUsersCommand extends AzureCommand
         );
 
         do {
+            $token = $this->getToken($token);
+
             try {
-                $azureUsersRequest = $this->provider->request('get', "users?$query", $token);
+                $azureUsersRequest = $this->provider->request(
+                    'get',
+                    "users?$query",
+                    $token
+                );
             } catch (Exception $e) {
                 throw new Exception('Exception when requesting users from Azure: '.$e->getMessage());
             }