This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 70%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Hi all,
i have recently migrated a SP2013 solution to SharePoint 2019 and implemented Azure AD as a Trusted Identity Token issuer using AzureCP as claim provider, migrating windows users to claim equivalents. Our users experience that they have to re-authenticate more frequently because of expiring access tokens. Before it was possible to configure access token lifetimes using app bound policies in Azure AD, but as i understood this is being replaced by Conditional Access - Sign-in frequency and access tokens will be set to a default of 60 minutes expiration as of January 30th. If i'm not able to extend the access token lifetimes, sadly i might have to revert back to using Windows Authentication.
I am trying to find a way to implement ADAL or MSAL to improve user experience, ideally silently acquiring access tokens based on the logged-in users' token. I am not sure if this is possible, since i don't interfere in the default authentication process. Instead I'm trying to acquire a token using the claims at hand, but if i understand correctly the claims principal i can access is not the actual Azure AD principal but one that's already processed by SharePoint. Just using the AcquireTokenSilentAsync method from the ADAL libraries, results in a token cache error (Failed to acquire token silently as no token was found in the cache. Call method AcquireToken). Probably because i don't initiate the authentication and don't have any Token Cache, but maybe also because i don't know what UserIdentifier i should use to acquire the token. I only have a UPN and NameId claim available which seem issued by the security token service of SharePoint.
I am thinking of customizing the authentication process, so that i can override the initial authentication process and manually redirect the user to microsoftonline, trying to catch the initial token and initializing a token cache item. I have no clue if this is even possible..
Can anyone point me in the right direction or is there an easier way to extend access token lifetimes from SharePoint context knowing that adjusting accesstokenlifetimes in AzureAD is not an option? Am I bound to ADAL because SharePoint Server can only handle SAML tokens or is MSAL with Integrated Windows Authentication a better option ?
Thanks!
okay... i feel pretty stupid...
When i try to run this command:
$policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"02:00:00","MaxAgeSessionSingleFactor":"02:00:00"}}') -DisplayName "WebPolicyScenario" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
it results in:
New-AzureADPolicy : Error occurred while executing NewPolicy
Code: Request_BadRequest
Message: Configure Token Lifetime for RT/ST (Refresh/Session Token) has been retired on May 30, 2020. New policy cannot
be created anymore.
Which lead me to believe that adjusting AccessTokenLifetime was also being retired. I had seen that above picture many times, and didn't understand why it said "no changes" to AccessTokenLifetimes.
But this still works fine:
$policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"02:00:00"}}') -DisplayName "WebPolicyScenario" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
Not yet able to verify if this solves my problem, but i think it will.
Hi @Jacques398839883988 ,
If the issue is identified as resolved with the above approach, you can accept your reply as an answer so that others who stuck in a similar issue could get answered quickly.
Thanks
Baker Kong
Hi @Jacques398839883988 ,
Per the doc suggestion, you may need to turn to sign-in frequency in Conditional Access. For more details, please refer to
Best Regards,
Baker Kong
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
hi Baker,
thanks for your reply.
Sign-in frequency requires end-users to be redirected to Azure AD on a regular basis:
"The sign-in frequency setting works with SAML applications as well, as long as they do not drop their own cookies and are redirected back to Azure AD for authentication on regular basis."
I want to configure how regular this is, or automate this for users. Now, using sign-in frequency, our users are redirected to the SharePoint login page every ~60 minutes because Azure AD expires its accesstokens. In our case, we use FBA and Azure AD to login to SharePoint, and a custom login-page that lets users choose between these two. When the accesstoken expires, Azure AD users log out of SharePoint and are redirected back to the login page. Then they click the Azure AD sign-in link, and are being redirected back to SharePoint without having to sign-in again (Sign-in frequency works as expected). but again with an accesstokenlifetime of 60 minutes.
As you will understand, suddenly being logged out of SharePoint while trying to save a form, losing your input, is not desirable. May be my only option is to show the users that their session is about to expire using javascript, but ideally i would like to silently acquire a new token for the logged in user, respecting their sign-in frequency. Do you know if and how that's possible?