Change device authorization token expiration time in AKS AD RBAC authentication

Tanul 1,291 Reputation points
2024-01-17T15:45:11.67+00:00

We have setup AKS with Azure AD authentication with Kubernetes RBAC type. After spinning, kubectl command asked for device login only for the first time via this url https://microsoft.com/devicelogin.

But, it's been many months it is not asking this anymore. Is there any way to change the expiration interval of the token so that after every 1 day kubectl command will ask users to authorize their devices again.

Azure Kubernetes Service
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,450 questions
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
0 comments No comments
{count} votes

Accepted answer
  1. Anveshreddy Nimmala 3,550 Reputation points Microsoft External Staff Moderator
    2024-01-18T01:30:16.0833333+00:00

    Hello Tanul, Welcome to Microsoft Q&A , thankyou for posting your query here. 1.Azure AD has a setting called Token Lifetime policies. You can configure token lifetimes in the Azure portal. Go to the Azure portal. In "Azure Active Directory" > "Security" > "Authentication methods" > "Authentication methods blade" > "Token Lifetime Policies". you can configure the lifetime of access tokens, refresh tokens, and ID tokens. It may impact other applications so be cautious while adjusting these values. 2.you can use the --device-code-validity flag with the az aks get-credentials command. This flag specifies the duration (in seconds) for which the device code is valid. This will generate a new device code and ask the user to authenticate their device again after 24 hours. az aks get-credentials --resource-group <resource-group-name> --name <cluster-name> --device-code --device-code-validity 8640 Hope this helps you. Please accept the answer if it is helpful else post your error/query here give more detailed answer thankyou.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.