Assigning token lifetime policy to app registration. Microsoft Entra ID. Microsoft Graph.

Question

Hello,

Trying to apply token lifetime policy to newly created application in app registration of Microsoft Entra ID.

As a source used this article:

https://learn.microsoft.com/en-us/azure/active-directory/develop/configure-token-lifetimes

Everything succeeded, policy created, policy assigned to app.

But when I'm using MSAL (for .net desktop app) to acquire token interactively

PublicClientApp.AcquireTokenInteractive(scopes)

I am not getting token with the specified lifetime. Apparently, policy isn't used by application.

IMP! The issue is, when I create policy with flag: IsOrganizationDefault = $falsethat case it's ignored.

If I create same policy with IsOrganizationDefault = $true, then policy works (apparently considered by app) and acquired token lifetime is the one I had specified.

What's wrong with IsOrganizationDefault = $false or what am I doing wrong ?

---

I also tried to use old AzureADPreview approach (instead of microsoft graph), command:

 $policyDefinition = @('{
 "TokenLifetimePolicy": {
 "Version": 1,
 "AccessTokenLifetime": "04:00:00", 
 "IdTokenLifetime": "04:00:00", # Tried without that as well
 "RefreshTokenLifetime": "04:00:00" # Tried without that as well
   } 
 }')

$policy = New-AzureADPolicy -Definition $policyDefinition -DisplayName "CustomTokenLifetimePolicy" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
Add-AzureADApplicationPolicy -Id "SomeApplicationObjectId" -RefObjectId $policy.Id 

---

Also tried to use Microsoft Graph SDK Client (for .net). Succeeded to fetch assigned policies, via:

await graphClient.Policies.TokenLifetimePolicies["tokenId"].AppliesTo.GetAsync();

in result of this command there is listed my application, so looks like policy is assigned in all 3 approaches (Graph powershell, Graph .net client, AzureADPreview).

So most likely token acquisition process ignores consideration of that policy, for some reason. The question is why ? Prioritization look like being taken into consideration (there is no default organization policies, neither others. Just one created policy, the custom one)

Thanks for any help !

Answer 1

Hi @trebiax

Thanks for reaching out to Microsoft Q&A.

This topic is a little bit confusing but let me try to share some more information about it.

Configurable Token Lifetime policy can only be used on the resource application, not the client one. So, you can assign it to O365, Teams, or any other resource application that you need to sign in against, which means that you'll have a different token lifetime for all the tokens requested for that resource app, not to the requesting user / application.

One more thing I'd like to clarify is that you cannot change Refresh Tokens lifetime anymore:

https://learn.microsoft.com/en-us/azure/active-directory/develop/configurable-token-lifetimes#configurable-token-lifetime-properties

The reason why it works when you set the parameter IsOrganizationDefault = $true, is because it makes the policy to be valid for the whole tenant, not only for an application, that's why you are seeing it being applied as you expected it to be. It could work if you don't mind changing the token lifetime for all the applications, but I don't think it's what you are looking for based on what I understood from your request.

Let me know if you have further questions about this.

Thanks,

Fabio

Answer 2

Hi @Fabio Andrade

Thanks for information !

Refresh token lifetime is clear.

But regarding access tokens, that's really weird behavior, isn't it ? Is it intended behaviour or are any changes planned, if you have any information ?

Generally, does it mean, that client applications are not able to customize lifetime of token ?