How can I reduce the duration of SSO refresh tokens?

S Abdul Azeem Shah 20 Reputation points
2024-09-24T23:57:15.8+00:00

Hello there! I'm wondering if there's a straightforward way to reduce the duration of SSO refresh tokens. Can anyone point me in the right direction? Thank you in advance!

This question is related to the following Learning Module

Azure Training
Azure Training
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.Training: Instruction to develop new skills.
1,585 questions
0 comments No comments
{count} votes

Accepted answer
  1. SiddeshTN 4,350 Reputation points Microsoft Vendor
    2024-09-25T10:29:15.31+00:00

    Hi S Abdul Azeem Shah,

    Thank you for reaching out to us on the Microsoft Q&A forum.

    Yes, there is a straightforward way to reduce the duration of SSO refresh tokens, especially if you're using Azure Active Directory. You can control how long these tokens remain valid by setting policies through Conditional Access and Session Management.

    Here's a simple guide on how to make these changes:

    1. How to Configure Conditional Access Policies to Manage Sign-in Frequency in Azure AD:

    a. Sign in to the Azure portal, then navigate to Azure Active Directory> Security> Conditional Access.

    b. Click New Policy and define the conditions for who and when the policy should apply (such as specific users, devices, applications).

    c. Under Session Controls, select Sign-in frequency. Choose a shorter duration (for example, 8 / 24 hours) to limit how long the SSO refresh token is valid, forcing users to sign in again after that period.

    By reducing the sign-in frequency, users are required to reauthenticate more often, decreasing the risk of long-lived refresh tokens.

    1. Changing Token Lifetime Policies (Legacy Method):

    In the past, you could adjust token lifetimes using Azure AD PowerShell with custom policies, but Microsoft has now deprecated this method in favor of Conditional Access session controls.

    However, if your organization still uses the older method, here’s a simple way to set a policy through PowerShell:

    Install AzureAD PowerShell Module:

    Install-Module AzureAD
    
    Connect-AzureAD
    

    Create a new token lifetime policy (e.g: set the refresh token lifetime to 8 hours):

    New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"RefreshTokenLifetime":"08:00:00"}}') -DisplayName "Custom Refresh Token Policy" -IsOrganizationDefault $true
    
    1. Session Management:

    For further control, in Azure AD, you can also enable persistent browser sessions / set policies to enforce sign-out after inactivity. This limits the refresh token's effectiveness by ending the session after a specified period of inactivity.

    For more details on Conditional Access settings, you can refer to:

    ->Conditional Access overview

    ->Session controls in Conditional Access.

    Should you find this information helpful, kindly express your acknowledgment by clicking the "Upvote" and "Accept Answer" buttons on the post.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.