Access tokens for accounts performing user synchronization will expire after 30 days if not used for that process. Couldn't the token use the IMS login activity to see if the account is active, but just not running the user sync process in that time period?