![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 19%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
25,081 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 0%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOE%3C/text%3E%3C/svg%3E)
Thanks for using the Q&A platform.
Azure B2C uses long-lived refresh tokens typically valid for 24hr even if the session expires on the server, your Angular app may silently renew tokens unless explicitly restricted via RefreshTokenLifetime settings, which is only configurable in custom policies.
To fully enforce a 10-hour session lifetime for your Angular SPA with Azure AD B2C, my recommendation would be to use custom policies.
Kindly find Microsoft documentation: https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#configure-the-custom-policy
Ensure refresh token issuance respects session expiry, avoid localStorage, and disable “Keep me signed in.” If a user checks “Keep me signed in”, the session becomes persistent, which overrides the session lifetime you’ve defined.
If the response was helpful, please feel free to mark it as “Accepted Answer” and consider giving it an upvote. This helps others in the community as well.
Regards,
Obinna.