Azure SCIM User provisioning - Long lived bearer token standard validity

Question

Azure SCIM User provisioning - Long lived bearer token standard validity

Ruchi 406

Hi Team,

For our enterprise's user provisioning SCIM application, we are planning to use Long lived bearer token for application authentication. Could you please suggest the standard approach for the token expiry duration. Is it allowed to generate a never expire bearer token?

Sandeep G-MSFT 20,926 Reputation points Microsoft Employee Moderator

2023-10-19T11:38:52.35+00:00

@Ruchi

Thank you for posting your question in Microsoft Q&A.

I am looking into this issue. Will get back to you post my research
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2023-10-27T19:13:45.04+00:00

@Ruchi

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

3 answers

Your answer

Sandeep G-MSFT 20,926 Reputation points Microsoft Employee Moderator

2023-10-19T11:38:52.35+00:00

@Ruchi

Thank you for posting your question in Microsoft Q&A.

I am looking into this issue. Will get back to you post my research
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2023-10-27T19:13:45.04+00:00

@Ruchi

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Answer 1

Danny Zollner 10,801 Microsoft Employee Moderator

For tokens issued by your application for use in accessing the app's SCIM server endpoints, it is allowable to issue non-expiring bearer tokens, or tokens with expiration dates so far in the future that they are functionally non-expiring. This doesn't align with best practices from a security standpoint, however.

If this is an internal application only used by your company, then right now bearer tokens are your only option. If this is an application intended to be added to the Enterprise App gallery, then I'd instead suggestion implementing OAuth 2.0 Authorization Code Grant or Client Credential Grant flows.

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2023-11-10T00:58:38.77+00:00

Hello @Ruchi , let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

Answer 2

@Ruchi

Thank you for posting your question in Microsoft Q&A.

Creating a never expire token for application in Azure is not possible.

However, you can configure the lifetime for an access token.

You can refer below articles to know more about the default lifetime of tokens and also configuring lifetime of tokens,

https://learn.microsoft.com/en-us/azure/active-directory/develop/configurable-token-lifetimes

https://learn.microsoft.com/en-us/azure/active-directory/develop/configure-token-lifetimes

Let me know if you have any further questions.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 3

Hung Hoang 0

Hi All
Regarding the use of "Long-lived bearer token" for authorization to provisioning connectors in the application gallery. I understand there is currently no refresh token mechanism or way to renew the token once it expires. Is that correct?

Danny Zollner 10,801 Reputation points Microsoft Employee Moderator

2024-08-02T16:06:49.1633333+00:00

This is correct. The long-lived bearer token/secret token field that is available in the generic SCIM connector is a simple HTTP bearer token, sent as part of the value of the Authorization header, with the value of that header being "Bearer <X>", where <X> is the secret token. The concept of access and refresh tokens is related to OAuth, which is not supported on the generic SCIM connector at this time. We are working on making this available on the generic SCIM connector, however. When it becomes available, you'll need to provide a client id and client secret to be used by the provisioning service to obtain the access and refresh tokens.
Brian Engen 1 Reputation point

2024-09-04T12:51:21.6533333+00:00

@Danny Zollner if there's any way, I'd be very interested in discussing this further. My organization uses Entra ID SCIM with our largest customers to ease the burden of provisioning users from their Entra ID tenants into our application and this is currently a very large pain point for us and our customers.

The problem (shame on us) is we implemented a workaround to meet the needs of our customers while mistakenly expecting the gallery app submittal process would take a reasonable amount of time. Our gallery app submittal process has gone through several delays and restarts. My earliest email related to this process is dated 2021... and our last correspondence from that team indicated current and future submittals are on indefinite hold.

If the future involves a shift from gallery apps to supporting more openid/c auth workflows with the "generic" connector, this would be excellent. I'd be very interested in any details about the feature, including any available delivery timeline - months? years?

currently, our customers' IT administrators must issue a new "long-lived" token for our SCIM app about every 30-90 days to mitigate Entra ID token signing key rotation. even ignoring token expiration, eventually the token signing keys rotate out, preventing us from validating the token signature. to help ease this burden, we're implementing our own token issuer (hopefully as a stop-gap) which is not ideal either.

Thanks for your time and please let me know if there's an opportunity to discuss further!
Landow, Robin (UIT) 0 Reputation points

2024-11-15T08:57:30.8533333+00:00

Dear @Danny Zollner we're facing the same issue as the other guys here. Can you tell us when you will release the changes for the SCIM Connector regarding access and refresh_token (grant_type refresh_token)? Thanks in advance!

Cheers Robin

Share via

Azure SCIM User provisioning - Long lived bearer token standard validity

3 answers

Your answer