How to extend a Microsoft Entra generated token when scope is SharePoint

Question

Hi,

I'm hanging myself on a use case for a customer that has implemented an application that must interface with SharePoint using delegated permissions. The app is implemented in Appian using native connected system that doesn't support refresh token.

To accomplish the requirement I was hope that the policy definition described here affect also the SP Token.

Unfortunately it does not works and I read here that for SharePoint and OneDrive I must use Conditional Access policies, but I cannot figure out how to use them to extend the token lifetime (or rather I fear that they do not serve to extend the duration of the token but that it acts on browser sessions opened by the user on SharePoint site).

I registered an app in my MS Entra instance, and applied a policy to it to extend the access token's duration to 24 hours. The policy works well if I ask a token with a custom scope (scope specific for my app) but it does not works if I ask a token for a SharePoint resource (that has always 1h expiration time)

Thanks

Samuele

Answer 1

Hello @Samuele Furnari !

Thank you for the detailed update !

So lets sum it up !

Did you tried the Graph Commands :

Import-Module Microsoft.Graph.Identity.SignIns

$params = @{
	definition = @(
		'{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"8:00:00"}}'
	)
	displayName = "Contoso token lifetime policy"
	isOrganizationDefault = $true
}

New-MgPolicyTokenLifetimePolicy -BodyParameter $params

You said you did tried but did not worked ? Is this the method you tried ?

Also , allow me to point you to Conditional Access - What If tool , it may help you in general .

It allows you to run "what if " scenarios on CA Policies without actually enabling them so you can have a general idea of what is going to happen when you set a Policy to Enabled.

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards

Answer 2

Hello @Samuele Furnari !

Welcoem to Microsoft QnA!

First of all as we can read :

Using this feature requires an Azure AD Premium P1 license. To find the right license for your requirements, see Comparing generally available features of the Free and Premium editions.

Customers with Microsoft 365 Business licenses also have access to Conditional Access features.

I suppose you have this license ?

Also , please let us know , the Application is Accessing sharepoint as a Web Session ? because :

Configurable token lifetime policy only applies to mobile and desktop clients that access SharePoint Online and OneDrive for Business resources, and does not apply to web browser sessions

https://learn.microsoft.com/en-us/azure/active-directory/develop/configurable-token-lifetimes

Is this the case ? and thats why you are referencing Conditional Access ?

If it is not the case then the extend should work

Access, ID, and SAML2 token configuration are affected by the following properties and their respectively set values:

*Property: Access Token Lifetime*

*Policy property string: AccessTokenLifetime*

*Affects: Access tokens, ID tokens, SAML2 tokens*

*Default:*

    ***Access tokens: varies, depending on the client application requesting the token. For example, continuous access evaluation (CAE) capable clients that negotiate CAE-aware sessions will see a long lived token lifetime (up to 28 hours).***

    *ID tokens, SAML2 tokens: 1 hour*

*Minimum: 10 minutes*

*Maximum: 1 day*

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards