I have a question regarding SSO Token Expiration

Question

We have a request to find out what is the SSO token expiration for our integrated apps. We don't use conditional access policies so the setting must be the default of our tenant. Per example, if we have a user use SSO to authorize to an app (Zoom let's say) and he works throughout the day and signs off at the end of his shift, when can he expect to sign on again? I work my self and I notice I don't have to sign on until there's a change in my password, or I'm out for a long weekend or something. Is there a place where someone can point me and find what the threshold is for when someone has to sign on again to application such as zoom or slack

Answer 1

Hello,

Let’s look into the token expiration settings for Single Sign-On (SSO).

1. Microsoft Identity Platform (Azure AD):
   • By default, the lifetime of tokens issued by the Microsoft identity platform (such as access tokens, SAML tokens, or ID tokens) is 60 minutes1.
   • The minimum token lifetime is 5 minutes, and the maximum is 1,440 minutes (24 hours)1.
   • If your application has been granted the offline_access scope, the refresh token lifetime is 14 days1.
   • However, you can customize these token lifetimes based on your organization’s needs.
   • To configure token lifetime policies, you can use PowerShell commands or make HTTP requests to the Microsoft Graph API2.
   • For example, you can create a policy that extends the lifetime of access/ID tokens for a specific app or service principal. You can set the lifetime to a desired duration (e.g., 4 hours or 8 hours) using the appropriate commands or API calls2.
   Remember that these settings can vary based on the identity provider and configuration specific to your organization. I recommend checking the documentation or admin settings for your specific SSO solution to verify the exact token expiration thresholds for your integrated apps.