Azure AD Single session token lifetime Policy Is not working

Question

We have an app which uses the OAuth auth Code grant type. We are trying to restrict session tokens and limiting to 10 minutes however after applying the policy it is not working and users stayed logged in on browsers.

Can you please suggest If we missing something, we are using the below policy :

$policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"MaxAgeSessionSingleFactor":"00:10:00","MaxAgeSessionMultiFactor":"00:10:00"}}') -DisplayName $policyName -IsOrganizationDefault $false -Type "TokenLifetimePolicy"

score 1 · Answer 1 · answered May 06 '20 at 02:02

1

Please do not use that, as per the link that Joy posted. https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes

Microsoft is deprecating this. and changing to authentication session management capabilities in the aad Conditional access menus.

"After hearing from customers during the preview, we've implemented authentication session management capabilities in Azure AD Conditional Access. You can use this new feature to configure refresh token lifetimes by setting sign in frequency. After May 1, 2020 you will not be able to use Configurable Token Lifetime policy to configure session and refresh tokens. You can still configure access token lifetimes after the deprecation."

Here is the link: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime

answered May 06 '20 at 02:02

alphaz18

2,610
1
5
5

Thanks for the reply, let me try this and I will get back to you. – Suuny May 06 '20 at 12:38
But I dont see this CA policies for minutes only hours and day ....so how can I test this for 10 minutes ....it is not accepting 00.10.00 value – Suuny May 06 '20 at 12:50
It is not working as expected, I enabled sign-in frequency to 1hour, I have been working on that after an hour it does not kick me out however If I refresh the page then it asks me to authenticate. I am testing this only on one application, so I can not enable the persistent setting. as it works only when all apps are selected. – Suuny May 07 '20 at 15:58
In addition to alphaz18's comment, [User sign-in frequency](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime#user-sign-in-frequency) of Azure AD Conditional Access is a feature of Azure AD Premium and requires an [Azure AD Premium P1 license](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/overview#license-requirements) – rajeshmag Jul 26 '20 at 23:29

Joy Wang · Answer 2 · 2020-05-06T02:32:01.463

0

This feature is in preview - Configurable token lifetimes in Azure Active Directory (Preview), also the New-AzureADPolicy command just belongs to the AzureADPreview module.

Currently, it just works with the parameter -IsOrganizationDefault $true, the feature may have not been implemented completely.

$policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"MaxAgeSessionSingleFactor":"00:10:00","MaxAgeSessionMultiFactor":"00:10:00"}}') -DisplayName $policyName -IsOrganizationDefault $true -Type "TokenLifetimePolicy"

Update:

Sorry for my oversight, the solution above is what I test in this post on 2020/4/17, but there is an update in this doc as @alphaz18 mentioned:

So if you want to configure the session lifetime, you need to use the new feature - Configure authentication session management with Conditional Access.

edited May 06 '20 at 02:32

answered May 06 '20 at 01:29

Joy Wang

39,905
3
30
54

Thanks for your reply, let me try this and I will get back to you – Suuny May 06 '20 at 12:38
But I dont see this CA policies for minutes only either hours or day ....so how can I test this for 10 minutes ....it is not accepting 00.10.00 value – Suuny May 06 '20 at 12:51
@Suuny Seems it does not support 10 min, at least it should be one hour. – Joy Wang May 07 '20 at 03:01
Yes, I am testing this one but I think in minutes configuration should be there as on test environment it will easy and quick to test. :) – Suuny May 07 '20 at 10:36
It is not working as expected, I enabled sign-in frequency to 1hour, I have been working on that after an hour it does not kick me out however If I refresh the page then it asks me to authenticate. I am testing this only on one application, so I can not enable the persistent setting. as it works only when all apps are selected. – Suuny May 07 '20 at 15:58

Azure AD Single session token lifetime Policy Is not working

2 Answers2