Share via

How do I reduce duration of access token for all Microsoft application from MS entra ?

S Abdul Azeem Shah 20 Reputation points
2024-10-16T03:59:00.77+00:00

Hi, I'm looking for a way to see if is there a way to reduce the duration of access token from default to minimum value. ? if so how do I do that change ? Any help would be much appreciated.

I am looking to change it from MS entra since all of our applications are cloud apps and onboarded with MS Entra. Thanks in advance

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sandeep G-MSFT 21,131 Reputation points Microsoft Employee Moderator
    2024-10-16T09:15:22.4966667+00:00

    @S Abdul Azeem Shah

    Thank you for posting this in Microsoft Q&A.

    As I understand you want to reduce the token lifetime of Access token for all applications in your tenant.Ideally configuring token lifetime is a policy that needs to created and then assign the policy to application.

    You can configure access token for below values,

    • Minimum: 10 minutes
    • Maximum: 1 day

    Below is the article that contains the script to create a policy and assigning it to a particular app.

    https://learn.microsoft.com/en-us/entra/identity-platform/configure-token-lifetimes#create-a-policy-and-assign-it-to-an-app

    However, there is no article for implementing this for all application in your tenant. But you can try below script and this will help you,

    #Install required module

    Install-Module Microsoft.Graph 

    #Connect to Microsoft Graph with appropriate scopes

    Connect-MgGraph -Scopes "Policy.ReadWrite.ApplicationConfiguration","Policy.Read.All","Application.ReadWrite.All"

    #Create a token lifetime policy with AccessTokenLifetime and IdTokenLifetime set to 30 minutes (00:30:00)

    $params = @{

        Definition = @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"00:30:00", "IdTokenLifetime":"00:30:00"}}')

        DisplayName = "WebPolicyScenario"

        IsOrganizationDefault = $false

    }

    $tokenLifetimePolicyId = (New-MgPolicyTokenLifetimePolicy -BodyParameter $params).Id

    #Display the created policy to confirm

    Get-MgPolicyTokenLifetimePolicy -TokenLifetimePolicyId $tokenLifetimePolicyId

    #Retrieve all applications in the tenant

    $allApplications = Get-MgApplication -All 

    #Assign the token lifetime policy to all applications

    foreach ($app in $allApplications) {

        $applicationObjectId = $app.Id

        $policyParams = @{

            "@odata.id" = https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies/$tokenLifetimePolicyId

        }

        # Assign the token lifetime policy to each application

        New-MgApplicationTokenLifetimePolicyByRef -ApplicationId $applicationObjectId -BodyParameter $policyParams

        Write-Host "Policy assigned to Application: $($app.DisplayName)"

    }

    #Verify the policy on all apps

    foreach ($app in $allApplications) {

        Get-MgApplicationTokenLifetimePolicy -ApplicationId $app.Id

    }

    #Cleanup: If needed, remove the policy from all applications

    #foreach ($app in $allApplications) {

    #     Remove-MgApplicationTokenLifetimePolicyByRef -ApplicationId $app.Id -TokenLifetimePolicyId $tokenLifetimePolicyId

    #}

    #Optionally, delete the policy (if no longer needed)

    #Remove-MgPolicyTokenLifetimePolicy -TokenLifetimePolicyId $tokenLifetimePolicyId

     

    Let us know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.