Azure AD - MSAL - ID Token - Timeout - acquireTokenSilent() ISSUE

Kevin Azure 141 Reputation points
2020-03-25T18:58:56.793+00:00

I am using Angular 8 App with MSAL 0.1.4 to authenticate through Azure AD.

The first time user is prompted with Login & I get back the ID Token.
I call the API with ID Token and all are well!

After an hour the ID Token is expiring & API calls are failing!

I resolved it with acquireTokenSilent() passing the Client ID as the scope parameter.
I get the new ID Token and my API calls are succeeding!

Now after 1 Hour 40 minutes there is a new ERROR coming..

  • Error when acquiring token for scopes: guid-guid-guid AADSTS70044: The session has expired or is invalid based on conditional access policy.
  • interaction_required; Error description:AADSTS70044: The session has expired or is invalid based on conditional access policy.
  • Error when acquiring token for scopes: 5669c008-20c0-4118-8f45-6e98c8d8fa76 AADSTS70044: The session has expired or is invalid based on conditional access policy.

What should be the solution in client-side Angular code?
What should be the solution in server-side AAD configuration?

Am I using it correctly OR should i use Access Token instead of ID Token?

Please advice.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,437 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,306 Reputation points
    2020-03-26T09:09:34.423+00:00

    @Kevin Azure Based on the error that you have shared it appears to be due to session control configuration in Conditional Access Policy.

    If you navigate to Azure Portal > Azure Active Directory > Security > Conditional Access > Policies > Your_CA_Policy > Session, you can see the sign-in frequency configuration where you can configure time period before a user is asked to sign-in again when attempting to access a resource. The default setting is a rolling window of 90 days, i.e. users will be asked to re-authenticate on the first attempt to access a resource after being inactive on their machine for 90 days or longer. The value can be 1 -23 hours or 1-365 days.

    Note: If you have multiple Conditional Access policies, you may consider using whatif tool under conditional access policy blade to narrow down the number of policies which are taking effect.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept as answer" wherever the information provided helps you to help others in the community.

    0 comments