Azure SCIM User provisioning - Long lived bearer token standard validity

Ruchi 406 Reputation points
2023-10-17T11:06:31.6733333+00:00

Hi Team,

For our enterprise's user provisioning SCIM application, we are planning to use Long lived bearer token for application authentication. Could you please suggest the standard approach for the token expiry duration. Is it allowed to generate a never expire bearer token?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

3 answers

Sort by: Most helpful
  1. Danny Zollner 10,801 Reputation points Microsoft Employee Moderator
    2023-10-23T18:22:08.4766667+00:00

    For tokens issued by your application for use in accessing the app's SCIM server endpoints, it is allowable to issue non-expiring bearer tokens, or tokens with expiration dates so far in the future that they are functionally non-expiring. This doesn't align with best practices from a security standpoint, however.

    If this is an internal application only used by your company, then right now bearer tokens are your only option. If this is an application intended to be added to the Enterprise App gallery, then I'd instead suggestion implementing OAuth 2.0 Authorization Code Grant or Client Credential Grant flows.

    1 person found this answer helpful.

  2. Sandeep G-MSFT 20,926 Reputation points Microsoft Employee Moderator
    2023-10-20T09:22:50.3+00:00

    @Ruchi

    Thank you for posting your question in Microsoft Q&A.

    Creating a never expire token for application in Azure is not possible.

    However, you can configure the lifetime for an access token.

    You can refer below articles to know more about the default lifetime of tokens and also configuring lifetime of tokens,

    https://learn.microsoft.com/en-us/azure/active-directory/develop/configurable-token-lifetimes

    https://learn.microsoft.com/en-us/azure/active-directory/develop/configure-token-lifetimes

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  3. Hung Hoang 0 Reputation points
    2024-08-02T07:14:11.62+00:00

    Hi All
    Regarding the use of "Long-lived bearer token" for authorization to provisioning connectors in the application gallery. I understand there is currently no refresh token mechanism or way to renew the token once it expires. Is that correct?


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.