Thank you for reaching out to us on the Microsoft Q&A forum.
Yes, there is a straightforward way to reduce the duration of SSO refresh tokens, especially if you're using Azure Active Directory. You can control how long these tokens remain valid by setting policies through Conditional Access and Session Management.
Here's a simple guide on how to make these changes:
- How to Configure Conditional Access Policies to Manage Sign-in Frequency in Azure AD:
a. Sign in to the Azure portal, then navigate to Azure Active Directory> Security> Conditional Access.
b. Click New Policy and define the conditions for who and when the policy should apply (such as specific users, devices, applications).
c. Under Session Controls, select Sign-in frequency. Choose a shorter duration (for example, 8 / 24 hours) to limit how long the SSO refresh token is valid, forcing users to sign in again after that period.
By reducing the sign-in frequency, users are required to reauthenticate more often, decreasing the risk of long-lived refresh tokens.
- Changing Token Lifetime Policies (Legacy Method):
In the past, you could adjust token lifetimes using Azure AD PowerShell with custom policies, but Microsoft has now deprecated this method in favor of Conditional Access session controls.
However, if your organization still uses the older method, here’s a simple way to set a policy through PowerShell:
Install AzureAD PowerShell Module:
Install-Module AzureAD
Connect-AzureAD
Create a new token lifetime policy (e.g: set the refresh token lifetime to 8 hours):
New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"RefreshTokenLifetime":"08:00:00"}}') -DisplayName "Custom Refresh Token Policy" -IsOrganizationDefault $true
- Session Management:
For further control, in Azure AD, you can also enable persistent browser sessions / set policies to enforce sign-out after inactivity. This limits the refresh token's effectiveness by ending the session after a specified period of inactivity.
For more details on Conditional Access settings, you can refer to:
->Session controls in Conditional Access.
Should you find this information helpful, kindly express your acknowledgment by clicking the "Upvote" and "Accept Answer" buttons on the post.