How to Increase Access Token Lifetime to 24 Hours?

Question

How to Increase Access Token Lifetime to 24 Hours?

Tushar Lakhotia 0

I’m using the following URL to generate an Azure AD access token via Python:

https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token

The token I get has a lifetime of 3600 seconds (1 hour), but I need it to last for 24 hours.

Is there any way to increase the access token lifetime using the Azure Portal or any other method?

Thanks!

Vinodh247 34,741 Reputation points MVP Volunteer Moderator

2025-04-18T16:24:14.9066667+00:00
Hi ,

Thanks for reaching out to Microsoft Q&A.

You cannot directly increase the access token lifetime to 24 hours for tokens issued by Azure AD (Microsoft Identity Platform v2.0 endpoint) via the /oauth2/v2.0/token endpoint.

Here is the truth..,

Access Token Lifetime Limitations

By default, Azure AD access tokens have a lifetime of 1 hour (3600 seconds).

You cannot configure the access token lifetime for apps using v2.0 endpoints (/oauth2/v2.0/token) through the Azure Portal or using policies. Microsoft removed support for token lifetime policies for v2.0 apps.

Reference: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes#configurable-token-lifetime-policy-retirement

Alternative Approaches

Use Refresh Tokens

Instead of trying to extend the access token lifetime, use refresh tokens to silently acquire new tokens when they expire.

Refresh tokens are valid for 90 days by default, and automatically rotate on use.

Client Credentials Flow Limitation

If you are using client credentials flow (application-only token), you will only get 1-hour lifetime, and there is no refresh token. You must reauthenticate after expiry.

In that case, your only workaround is to rerequest a token programmatically every hour (before expiry).

Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.
Vigneshwar Duvva 2,300 Reputation points Microsoft External Staff Moderator

2025-04-18T23:39:16.0666667+00:00

Hello Tushar Lakhotia

I wanted to follow up to see if you’ve had a chance to review the answer provided by Vinodh247

I hope this information helps to you and let me know if you have any further questions, we will be happy to help you.
Gagan Gupta 0 Reputation points

2025-04-19T05:14:25.4033333+00:00
Hi Vinodh,

We're encountering issues while trying to set a 24-hour access token lifetime ("23:59:59") for a specific app using client credentials flow with the /oauth2/v2.0/token endpoint.

The TokenLifetimePolicy is created and assigned to the service principal.

It shows as assigned, but the token lifetime remains 1 hour.

If we set "isOrganizationDefault": true, it works — but applies to all apps in the tenant, which is a security concern because it overrides the token lifetime for all applications within the tenant, rather than being scoped to a specific app.

Now, here's the confusion: You mention that token lifetime policies are no longer supported for v2.0 apps, but the documentation is still available, and surprisingly, applying a policy works at the tenant-wide level. Why the inconsistency? If this functionality is indeed deprecated, why does it still work when applying to the whole tenant? And why is it not possible to apply it to a specific app registration?

Is this a limitation we’re encountering, or is there something we’re missing?

Reference: https://learn.microsoft.com/en-us/graph/api/resources/tokenlifetimepolicy?view=graph-rest-1.0
https://learn.microsoft.com/en-us/graph/api/application-post-tokenlifetimepolicies?view=graph-rest-1.0&tabs=javascript

Thanks
Tushar Lakhotia 0 Reputation points

2025-04-19T05:20:39.2266667+00:00

Hello @Vinodh247 ,

Thanks for the answer. Can you share me the script for this refresh token?

Vinodh247 34,741 MVP Volunteer Moderator

below is a Python script that demonstrates using MSAL (Microsoft Auth Library) to authenticate using Authorization Code Flow, cache the refresh token, and automatically refresh the access token when needed.

This approach only works if your app uses a user context, not client credentials flow.

Pre-requisites

Register an app in Azure AD.
In Azure Portal:
- Enable Redirect URI (e.g., http://localhost).
- Add API permissions (e.g., Microsoft Graph User.Read).
Set platform as Web and allow http://localhost.

--> install msal: pip install msal

Sample, python Script with Refresh Token Handling:

import msal
import webbrowser
import os
import json
CLIENT_ID = "your-client-id"
CLIENT_SECRET = "your-client-secret"
TENANT_ID = "your-tenant-id"
AUTHORITY = f"https://login.microsoftonline.com/{TENANT_ID}"
REDIRECT_URI = "http://localhost"
SCOPES = ["User.Read"]  # or your required scopes
# Token cache persistence
CACHE_PATH = "token_cache.json"
def load_cache():
    cache = msal.SerializableTokenCache()
    if os.path.exists(CACHE_PATH):
        cache.deserialize(open(CACHE_PATH, "r").read())
    return cache
def save_cache(cache):
    if cache.has_state_changed:
        with open(CACHE_PATH, "w") as f:
            f.write(cache.serialize())
def get_token():
    cache = load_cache()
    app = msal.PublicClientApplication(
        client_id=CLIENT_ID,
        authority=AUTHORITY,
        token_cache=cache
    )
    accounts = app.get_accounts()
    if accounts:
        # Try to get token silently using refresh token
        result = app.acquire_token_silent(SCOPES, account=accounts[0])
        if result:
            print("Token acquired silently")
            save_cache(cache)
            return result["access_token"]
    # If silent token acquisition fails, do interactive login
    flow = app.initiate_device_flow(scopes=SCOPES)
    if "user_code" not in flow:
        raise ValueError("Failed to create device flow")
    print(f"Please authenticate: {flow['message']}")
    result = app.acquire_token_by_device_flow(flow)
    if "access_token" in result:
        print("Access token acquired")
        save_cache(cache)
        return result["access_token"]
    else:
        raise RuntimeError("Failed to acquire token")
if __name__ == "__main__":
    token = get_token()
    print("Access Token:", token)

What This Script Does:

Tries to acquire token silently (using refresh token).

If it fails, prompts you via device code flow to sign in.

Caches the token and refresh token to token_cache.json.

On subsequent runs, it uses the cached refresh token to renew the access token without prompting.

Tushar Lakhotia 0 Reputation points

2025-04-21T09:42:40.56+00:00

Hello @Vinodh247
I need to generate the token and use it somewhere else; I cannot integrate the token script there. So, I need to just copy paste it after generating it.
This is why I need a kind of Permanant token for 30-60 days.
Vinodh247 34,741 Reputation points MVP Volunteer Moderator

2025-04-22T14:00:16.8666667+00:00

Not possible. AD tokens are short lived by design (~1 hr), even with custom policies cant be done.
Vigneshwar Duvva 2,300 Reputation points Microsoft External Staff Moderator

2025-04-22T18:57:34.92+00:00

Hello Tushar Lakhotia

I wanted to follow up to see if you’ve had a chance to review the answer provided by Vinodh247

As Vinodh said it was not possible. AD tokens are short lived by design (~1 hr) due to security concerns

https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens#token-lifetime

I hope this information helps to you and let me know if you have any further questions, we will be happy to help you.
Vigneshwar Duvva 2,300 Reputation points Microsoft External Staff Moderator

2025-04-23T20:29:45.44+00:00

Hello Tushar Lakhotia

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back
Vigneshwar Duvva 2,300 Reputation points Microsoft External Staff Moderator

2025-04-24T17:14:12.25+00:00

Hello Tushar Lakhotia

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back

1 answer

Your answer

Vinodh247 34,741 Reputation points MVP Volunteer Moderator

2025-04-18T16:24:14.9066667+00:00

Hi ,

Thanks for reaching out to Microsoft Q&A.

You cannot directly increase the access token lifetime to 24 hours for tokens issued by Azure AD (Microsoft Identity Platform v2.0 endpoint) via the /oauth2/v2.0/token endpoint.

Here is the truth..,

Access Token Lifetime Limitations

By default, Azure AD access tokens have a lifetime of 1 hour (3600 seconds).

You cannot configure the access token lifetime for apps using v2.0 endpoints (/oauth2/v2.0/token) through the Azure Portal or using policies. Microsoft removed support for token lifetime policies for v2.0 apps.

Reference: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes#configurable-token-lifetime-policy-retirement

Alternative Approaches

Use Refresh Tokens

Instead of trying to extend the access token lifetime, use refresh tokens to silently acquire new tokens when they expire.

Refresh tokens are valid for 90 days by default, and automatically rotate on use.

Client Credentials Flow Limitation

If you are using client credentials flow (application-only token), you will only get 1-hour lifetime, and there is no refresh token. You must reauthenticate after expiry.

In that case, your only workaround is to rerequest a token programmatically every hour (before expiry).

Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.
Vigneshwar Duvva 2,300 Reputation points Microsoft External Staff Moderator

2025-04-18T23:39:16.0666667+00:00

Hello Tushar Lakhotia

I wanted to follow up to see if you’ve had a chance to review the answer provided by Vinodh247

I hope this information helps to you and let me know if you have any further questions, we will be happy to help you.
Gagan Gupta 0 Reputation points

2025-04-19T05:14:25.4033333+00:00

Hi Vinodh,

We're encountering issues while trying to set a 24-hour access token lifetime ("23:59:59") for a specific app using client credentials flow with the /oauth2/v2.0/token endpoint.

The TokenLifetimePolicy is created and assigned to the service principal.

It shows as assigned, but the token lifetime remains 1 hour.

If we set "isOrganizationDefault": true, it works — but applies to all apps in the tenant, which is a security concern because it overrides the token lifetime for all applications within the tenant, rather than being scoped to a specific app.

Now, here's the confusion: You mention that token lifetime policies are no longer supported for v2.0 apps, but the documentation is still available, and surprisingly, applying a policy works at the tenant-wide level. Why the inconsistency? If this functionality is indeed deprecated, why does it still work when applying to the whole tenant? And why is it not possible to apply it to a specific app registration?

Is this a limitation we’re encountering, or is there something we’re missing?

Reference: https://learn.microsoft.com/en-us/graph/api/resources/tokenlifetimepolicy?view=graph-rest-1.0
https://learn.microsoft.com/en-us/graph/api/application-post-tokenlifetimepolicies?view=graph-rest-1.0&tabs=javascript

Thanks
Tushar Lakhotia 0 Reputation points

2025-04-19T05:20:39.2266667+00:00

Hello @Vinodh247 ,

Thanks for the answer. Can you share me the script for this refresh token?
Tushar Lakhotia 0 Reputation points

2025-04-21T09:42:40.56+00:00

Hello @Vinodh247
I need to generate the token and use it somewhere else; I cannot integrate the token script there. So, I need to just copy paste it after generating it.
This is why I need a kind of Permanant token for 30-60 days.
Vinodh247 34,741 Reputation points MVP Volunteer Moderator

2025-04-22T14:00:16.8666667+00:00

Not possible. AD tokens are short lived by design (~1 hr), even with custom policies cant be done.
Vigneshwar Duvva 2,300 Reputation points Microsoft External Staff Moderator

2025-04-22T18:57:34.92+00:00

Hello Tushar Lakhotia

I wanted to follow up to see if you’ve had a chance to review the answer provided by Vinodh247

As Vinodh said it was not possible. AD tokens are short lived by design (~1 hr) due to security concerns

https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens#token-lifetime

I hope this information helps to you and let me know if you have any further questions, we will be happy to help you.
Vigneshwar Duvva 2,300 Reputation points Microsoft External Staff Moderator

2025-04-23T20:29:45.44+00:00

Hello Tushar Lakhotia

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back
Vigneshwar Duvva 2,300 Reputation points Microsoft External Staff Moderator

2025-04-24T17:14:12.25+00:00

Hello Tushar Lakhotia

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back

Answer 1

Hello @Tushar Lakhotia,

Based on your description, I understand that you're looking to extend the access token lifetime for a specific registered application in your tenant—ideally making the token valid for 24 hours instead of the default 1 hour.

It's possible and this can be achieved by configuring a token lifetime policy and assigning it to your application. Please note that this policy will apply only to the specific application and not at the tenant level. For example, if you assign a token lifetime policy with a 22-hour duration to App1, then all access, ID, or SAML tokens issued for App1 will respect that duration. All other applications in the tenant will continue using the default 1-hour (3600 seconds) lifetime.

For detailed steps, refer to the official documentation below. I’ve also included screenshots from my test tenant:

Configure token lifetime policies (preview)

Step 1: Create the Token Lifetime Policy

You can create the policy using Graph Explorer:

Request:

POST https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies
Content-Type: application/json

Request Body:

{
    "definition": [
        "{\"TokenLifetimePolicy\":{\"Version\":1,\"AccessTokenLifetime\":\"23:59:00\"}}"
    ],
    "displayName": "Contoso token lifetime policy",
    "isOrganizationDefault": false
}

Paste this JSON into the "Request Body" section of Graph Explorer.

User's image

In the "Request Headers," set: Content-Type: application/json

User's image

Under "Modify permissions," grant Policy.ReadWrite.ApplicationConfiguration

User's image

Click Run query to create the policy. You’ll get a response containing the policy ID.

User's image

Step 2: Assign the Policy to the Application

Next, assign this policy to the service principal of your app.

Request:

POST https://graph.microsoft.com/v1.0/servicePrincipals/{sp-object-id}/tokenLifetimePolicies/$ref
Content-Type: application/json

Request Body:

{

  "@odata.id":"https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies/00aa00aa-bb11-cc22-dd33-44ee44ee44ee"

}

Replace {sp-object-id} with the object ID of your app’s service principal (available in the Enterprise Applications blade).

Replace {policy-id} with the ID returned when you created the policy.

Ensure you’ve granted Application.ReadWrite.All permissions.

Run the query. A successful response confirms the policy has been assigned.

User's image

Step 3: Validate the Token

Now, generate an access token for your application and check its expiration (exp claim) and audience (aud claim). The token should now reflect the configured lifetime (e.g., 23 hours 59 minutes).

In my case, I configured the policy for 23 hours and 59 minutes, and I was able to successfully obtain a token with the expected validity period, as defined by my policy.

User's image If you observe the screenshot above, you’ll see that I have assigned my token lifetime policy to my application with client ID 1158b426-d00d-4327-8a3b-2a8907d7650c, and the token was indeed issued for my app (as indicated by the aud claim).

The audience claim plays a crucial role when testing token lifetime policy scenarios. This is because if your application requests a token using Microsoft Graph as the resource, the issued token will have a default lifetime of 1 hour, regardless of the custom policy applied.

This is expected behavior. The token lifetime policy was applied to your web application, not to Microsoft Graph, which is a first-party resource. It is not recommended to assign custom token lifetime policies to first-party resources like Microsoft Graph, as it acts as an aggregator for multiple services across Azure and Microsoft 365. Modifying its token settings could inadvertently impact the behavior of other Microsoft services.

Share via

How to Increase Access Token Lifetime to 24 Hours?

1 answer

Your answer