From d5cd6924c9da32539ab4e98f8093b8ef55734bb7 Mon Sep 17 00:00:00 2001
From: Ray Luo <rayluo@microsoft.com>
Date: Tue, 2 Mar 2021 01:25:06 -0800
Subject: [PATCH] Decide to completely disable RT removal

---
 msal/application.py | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/msal/application.py b/msal/application.py
index 21f35132..8a3fcae4 100644
--- a/msal/application.py
+++ b/msal/application.py
@@ -926,12 +926,9 @@ def _acquire_token_silent_by_finding_specific_refresh_token(
             logger.debug("Cache attempts an RT")
             response = client.obtain_token_by_refresh_token(
                 entry, rt_getter=lambda token_item: token_item["secret"],
-                on_removing_rt=(rt_remover or self.token_cache.remove_rt)
-                    if  # we can remove a RT when a single scope is an exact match
-                        len(scopes) == 1
-                        and set(entry.get("target", "").split()) <= set(scopes)
-                    else  # otherwise keep the RT as it might work for a subset of scopes
-                        lambda rt_item: None,  # No OP
+                on_removing_rt=lambda rt_item: None,  # Disable RT removal,
+                    # because an invalid_grant could be caused by new MFA policy,
+                    # the RT could still be useful for other MFA-less scope or tenant
                 on_obtaining_tokens=lambda event: self.token_cache.add(dict(
                     event,
                     environment=authority.instance,