Token Lifetime policy is not working

Kamran Bashir 11 Reputation points
2019-11-20T17:25:52.907+00:00

After 15 mins inactive session timeout it does not ask user to reauthenticate

detail here...

Created a new token policy :

https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes

New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{
"Version":1,
"MaxInactiveTime":"00:15:00",
"MaxAgeSessionSingleFactor":"08:00:00",
"MaxAgeSessionMultiFactor":"08:00:00"
}}') -DisplayName "TokenLifetimeDefaultPolicy" -IsOrganizationDefault $true -Type "TokenLifetimePolicy"

alt text
Github page:
https://github.com/MicrosoftDocs/azure-docs/issues/43080

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,107 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. FrankHu-MSFT 976 Reputation points
    2019-11-21T01:01:02.243+00:00

    Please consider this example: If you apply the policy to the MS graph, all the tokens for it would by ruled by the Policy. So, any app that requests a token for the MS Graph resource will be affected.

    So the token lifetime policy is not based on the AAD App registration that is being used to request the resource. But it applies to the resource you're trying to access. So the resource needs to have the lifetime token policy not the aad app registration that has the permissions.

    The only way to apply the policy to the app instead is if you request a token with permissions to the AAD Application Registration.

    Additionally, please avoid using Token life time policies. this will be deprecated some time in the future, please use conditional access policies

    https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime