diff --git a/app/auth/plugins/azure_oidc/outgoing.go b/app/auth/plugins/azure_oidc/outgoing.go
index 77a104a..a674674 100644
--- a/app/auth/plugins/azure_oidc/outgoing.go
+++ b/app/auth/plugins/azure_oidc/outgoing.go
@@ -130,6 +130,9 @@ func parseExpiry(expiresOn string, expiresIn json.Number) time.Time {
 		if ts, err := strconv.ParseInt(expiresOn, 10, 64); err == nil && ts > 0 {
 			return time.Unix(ts, 0)
 		}
+		if t, err := time.Parse("01/02/2006 15:04:05 -07:00", expiresOn); err == nil {
+			return t
+		}
 	}
 	if expiresIn != "" {
 		if secs, err := expiresIn.Int64(); err == nil && secs > 0 {
diff --git a/app/auth/plugins/azure_oidc/outgoing_test.go b/app/auth/plugins/azure_oidc/outgoing_test.go
index 9b7263d..5223f02 100644
--- a/app/auth/plugins/azure_oidc/outgoing_test.go
+++ b/app/auth/plugins/azure_oidc/outgoing_test.go
@@ -216,6 +216,40 @@ func TestAzureOIDCUsesExpiresOn(t *testing.T) {
 	}
 }
 
+func TestAzureOIDCParsesDateFormattedExpiresOn(t *testing.T) {
+	resetCache()
+
+	future := time.Now().Add(45 * time.Minute).UTC()
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintf(w, `{"access_token":"tok","expires_on":"%s"}`, future.Format("01/02/2006 15:04:05 -07:00"))
+	}))
+	defer ts.Close()
+
+	oldHost := MetadataHost
+	MetadataHost = ts.URL
+	defer func() { MetadataHost = oldHost }()
+
+	oldClient := HTTPClient
+	HTTPClient = ts.Client()
+	defer func() { HTTPClient = oldClient }()
+
+	p := AzureOIDC{}
+	cfg, err := p.ParseParams(map[string]interface{}{"resource": "api://res"})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	r := &http.Request{Header: http.Header{}}
+	if err := p.AddAuth(context.Background(), r, cfg); err != nil {
+		t.Fatal(err)
+	}
+
+	_, exp := getCachedToken("api://res|")
+	if time.Until(exp) < 40*time.Minute {
+		t.Fatalf("expected parsed expiry around 45m, got %s", exp)
+	}
+}
+
 func TestAzureOIDCParamLists(t *testing.T) {
 	p := AzureOIDC{}
 	if got := p.RequiredParams(); len(got) != 1 || got[0] != "resource" {