25,208 questions
The admin credentials used in SCIM provisioning do not expire in 60 minutes, only when you want to rotate the password as needed.
Azure Enterprises Application update Admin Credentials for SCIM user provisioning
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 40%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENM%3C/text%3E%3C/svg%3E)
Narayanaswamy, M (Manjunath)
15
Reputation points
We are in the process of implementing the SCIM for our non-gallery SAS application (Collibra).
The secret token we get from Azure AD tenant (https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token) expires in 60 min.
Is there a way we can automate the process of updating the secret token in admin credentials using PowerShell or Azure CLI?
any other potential solution such as generating a long lived secret token are appreciated.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
2 answers
Sort by: Most helpful
-
Andy David - MVP 157.8K Reputation points2023-09-14T12:45:34.3466667+00:00 -
Narayanaswamy, M (Manjunath) 15 Reputation points
2023-09-18T11:23:33.4833333+00:00 HI Andy David,
Thanks for the update. It does expire in our case, as i mentioned we use the following API, from the response you can see its valid for only 3599 seconds, is there a flag where we can set custom expiry time?_curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' _
_https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token _
_-d 'client_id=<application/client-id>’ _
_-d 'grant_type=client_credentials' _
_-d 'scope=<Audiance Client ID>%2F.default' _
-d 'client_secret=<secret-value>’
{ "token_type": "Bearer", "expires_in": 3599, "ext_expires_in": 3599, "access_token":
Sign in to comment -
-
Danny Zollner 10,801 Reputation points Microsoft Employee Moderator2023-09-19T03:22:48.96+00:00 The tokens used in Azure AD Provisioning need to be issued by the SCIM application. The token flow that you are mentioning is OAuth 2.0 Client Credential Grant flow, in this case using Azure AD as the issuer of the tokens. Custom non-gallery applications do not support OAuth 2.0 at this time and require long-lived bearer tokens. Given that, using short-lived OAuth 2.0 access tokens, whether issued from Azure AD or another OAuth server, will not work.
-
Narayanaswamy, M (Manjunath) 15 Reputation points
2023-09-19T16:59:57.0333333+00:00 Do you have any reference article similar to my case on how to create long-lived bearer tokens?
-
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator2023-09-20T17:29:31.23+00:00 Thank you for following up on this!
I believe this is the documentation referencing what @Danny Zollner mentioned:
- Authorization to provisioning connectors in the application gallery
- Handling endpoint authentication
I hope this helps!
If you have any other questions, please let us know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
-
Danny Zollner 10,801 Reputation points Microsoft Employee Moderator
2023-09-20T17:34:10.0433333+00:00 I don't know of any way to generate long-lived bearer tokens via Microsoft's MS Graph-related OIDC/OAuth endpoints. Taking a step back, though, are you a customer of Collibra or a PM/developer of the company that makes Collibra? If you are a customer, you are likely generating your tokens in the wrong place - the application with the SCIM server (Collibra, in this case) should have a mechanism for generating a token that the client (AAD/EID) can then use when making API calls.
-
Narayanaswamy, M (Manjunath) 15 Reputation points
2023-09-20T18:13:31.1666667+00:00 Yes we are the customer of Collibra, Collibra uses Azure AD as the IDP and in this case (SCIM) AAD is the SCIM client as well.
may be as a workaround is there a way to update the admin credentials in the user provisioning programmatically upon expiry?
-
Danny Zollner 10,801 Reputation points Microsoft Employee Moderator
2023-09-20T20:02:39.72+00:00 That won't work as a workaround - it is possible for a job to run for longer than 60 minutes, and there is also replication delay that can potentially happen for the new secret/credential. Collibra will need to issue their own tokens rather than use AAD/Entra ID as the issuer.
Sign in to comment -