Tokens are encrypted and stored in Sumo Logic using AES256-CBC with HMAC-SHA256 authentication and expire after a few hours and subscriptions are refreshed yearly.
Tokens are encrypted as soon as Sumo Logic gets them from O365 and are only decrypted when retrieving events keeping those secured.
Sumo Logic automatically updates them before they expire to prevent data loss. Successful and failed token-update events are logged in the Audit Index. If the request fails Sumo Logic will continue to try to update a token for about a week. After several failures, we recommend recreating the Office 365 Audit Source.