1

We're trying to configure access token expiry time to 8 hours using below powershell cmdlets, but it's not getting enforced on application. It works when applied at org. level (i.e. -IsOrganizationDefault $true).

New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"08:00:00"}}') -DisplayName $policyName -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
 
$app = Get-AzureADApplication -Filter "DisplayName eq '$applicationName'"

Add-AzureADApplicationPolicy -Id $app.ObjectId -RefObjectId $policy.Id

Reference : https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes

*NOTE : After May 30, 2020 no new tenant will be able to use Configurable Token Lifetime policy to configure session and refresh tokens. However, You can still configure access token lifetimes after the deprecation.

Need help in configuring access token expiry time to 8 hrs for an oAuth/OIDC app in Azure AD (Default is 1 hr).

Hury Shen
  • 14,948
  • 1
  • 9
  • 18
Rajat
  • 57
  • 3
  • 9

3 Answers3

1

This is a late answer. Hope it helps late-comers like me.

The token lifetime policy is not based on the AAD App registration (service principle/ enterprise application) that is being used to request the resource. But it applies to the resource you're trying to access. So the resource needs to have the lifetime token policy, not the AAD app registration (service principle/ enterprise application) that has the permissions.

For example, I have a React frontend, making API calls to a backend, both are registered on Azure AD as 2 separate apps. When users login via the frontend, they will be issued an Id Token (from the service principle for the frontend) and an access token (from the service principle for the backend)

Your PowerShell cmd would create an 8-hour long token. If I apply it the frontend, the id token would last 8 hours. Similarly, if apply to the backend, the access token to the server will last 8 hours.

This is MSFT tutorial to extend the token lifetime policy and apply to service principles. Note that the token lifetime must be under 24 hours to be valid.

https://learn.microsoft.com/en-us/azure/active-directory/develop/configure-token-lifetimes#create-a-policy-for-web-sign-in

Tri
  • 199
  • 9
0

Per my test, it just works with the -IsOrganizationDefault $true currently, no matter use Add-AzureADServicePrincipalPolicy or Add-AzureADApplicationPolicy, if -IsOrganizationDefault $false, both not work.

Currently, the Configure Token Lifetime policy feature is still in preview. I think this feature may not be fully implemented yet, which has caused problems. Microsoft should implement it in the future.

Carl Zhao
  • 8,543
  • 2
  • 11
  • 19
  • Thanks Carl for clarifying the things out. Agreed the feature is still in preview. Just curious is there any other way to extend the access token time to 8 hrs for an oAuth/OIDC apps registered in Azure AD. – Rajat Sep 27 '20 at 05:02
  • Hello @Rajat This post might help you. Please let us know if you still have any questions. https://learn.microsoft.com/en-us/answers/questions/1463/token-lifetime-policy-is-not-working.html?childToView=1526#answer-1526 – Nishant Oct 01 '20 at 15:49
0

Issue resolved. Created an 8hr AccessTokenLifetime Policy. Applied the TokenLifetimePolicy on Application ServicePrincipal. Set the App ID URI for an application in Azure AD & passed it as a scope(instead of MS Graph default scope) in authorization request to generate 8 hr Access token.

Rajat
  • 57
  • 3
  • 9
  • Can you please add an example with more details and update the post? I'm struggling with the same issue. – MeneerBij Jul 25 '21 at 11:10
  • Sure, PFB the steps- Pre-requisites: 1. Powershell setup with admin access on desktop 2. Azure AD Tenant with Premium P1 license or higher license 3. User with Global administrator/ Application administrator role in Azure AD  Install AzureAD Preview module and connect with Azure AD: 1) Install-Module -Name AzureADPreview -AllowClobber -Force -ErrorAction Stop -Scope CurrentUser 2) Import-Module AzureADPreview 3) Connect-AzureAD – Rajat Jul 26 '21 at 12:36
  • Example: Create Tokenlifetime Policy of 8hrs: New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"08:00:00"}}') DisplayName "" -IsOrganizationDefault $false -Type “TokenLifetimePolicy” **Note Down Policy Object ID – Rajat Jul 26 '21 at 12:41
  • Add policy to Application Service Principal: Add-AzureADServicePrincipalPolicy -Id "" -RefObjectId "" where, Application ServicePrincipal Object ID = Azure Active Directory -> Enterprise Applications -> -> Overview blade -> Object ID Validate policy on ServicePrincipal: Get-AzureADServicePrincipalPolicy -Id "" – Rajat Jul 26 '21 at 12:41
  • I'm Global admin but i am getting below error--------------------------------Add-AzureADServicePrincipalPolicy : Error occurred while executing AddServicePrincipalPolicy Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation. InnerError: RequestId: xxx-xxx DateTimeStamp: Thu, xx xxx xxxx 15:50:05 GMT HttpStatusCode: Forbidden HttpStatusDescription: Forbidden HttpResponseStatus: Completed – Manjunath Patelappa Feb 16 '23 at 15:50