Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,975 questions
Azure AD: Best Practices on session timeout / token invalidation
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 46%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
André Schaller
0
Reputation points
Dear all,
we are working together with a software provider that provides a password manager solution, based on a classic client-server architecture. The users authenticate via the client through Azure AD in order to access the server.
We do have a corporate security requirement that any idle session (5 minutes) shall be force closed, which also applies to said application.
However, given that we receive the session token from Azure AD, the timeout settings from AAD apply (1 hour or more), which violates the requirement. Speaking to the vendor, he says that they should not control the session timeout via the client. Relaying on the AAD setting would be SSO best practice and this is how all other OAuth2/OIDC clients work. Instead, they refer to the AAD to decrease the token's life time.
As I am not an expert in this field, could you please comment on this?
Thanks in advance,
André
Microsoft Entra ID
{count} votes
-
JimmySalian-2011 42,476 Reputation points2023-06-26T08:07:38.1833333+00:00 Hi Andre,
I will suggest you to review the AAD Conditional Access policies as this will help you setting the security timeout settings as per your requirements that is session timeout and persistence timeout values - https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime
Also you can try out single application timeout values and with WhatIF tool you can see the results.
Hope this helps.
JS
==
Please Accept the answer if the information helped you. This will help us and others in the community as well.
Sign in to comment
1 answer
Sort by: Most helpful
-
Deleted
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more