Share via

Refresh Token and Conditional Access Policy

Krishna 6 Reputation points
2021-02-23T21:45:38.037+00:00

It's not clear to me how/when a refresh token is considered invalid. If I have a refresh token for an application, does it become invalid if a sign in frequency threshold is hit?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VipulSparsh-MSFT 16,311 Reputation points Microsoft Employee
    2021-02-24T14:29:32.88+00:00

    @Krishna Thanks for reaching out.

    You can control when the refresh token gets invalidated in your organization by using Refresh Token Max Inactive Time policy.

    This policy controls how old a refresh token can be before a client can no longer use it to retrieve a new access/refresh token pair when attempting to access this resource. Because a new refresh token usually is returned when a refresh token is used, this policy prevents access if the client tries to access any resource by using the current refresh token during the specified period of time.
    This policy forces users who have not been active on their client to reauthenticate to retrieve a new refresh token.

    The Refresh Token Max Inactive Time property must be set to a lower value than the Single-Factor Token Max Age and the Multi-Factor Refresh Token Max Age properties.

    Here are few changes which were made last month : https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes

    71642-image.png

    Read this example to understand more.

    -----------------------------------------------------------------------------------------------------------------

    If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

    0 comments
  2. Krishna 6 Reputation points
    2021-02-24T14:38:59.633+00:00

    Thank you! @VipulSparsh-MSFT

    I am not concerned about the Refresh Token Max Inactive Time policy.

    I am more concerned about "Sign In Frequency" on a conditional access policy (https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime)

    Could "Sign In Frequency" cause a refresh token to be invalid and not work for getting a valid access token?

    For instance, say I have a web server that stores the refresh token for a user. Let's say some time has elapsed, and the "Sign In Frequency" threshold has been hit.

    Does this mean that when the web server tries to obtain an access token using the refresh token, it will fail?

    I'm not clear on the relationship between a refresh token and conditional access policy.

    Best,
    Krishna

    0 comments
  3. VipulSparsh-MSFT 16,311 Reputation points Microsoft Employee
    2021-03-02T05:09:42.853+00:00

    @Krishna
    If you use sign frequency setting option, the user must be prompted for the credential. At that time, the refresh token is not silently used to fetch the access token and treated as a new sign in. This does not use the previous refresh token and ignores it.

    Here are 2 different scenarios which you might have covered but putting here for community use :

    If you have Azure AD joined, hybrid Azure AD joined, or Azure AD registered devices, when a user unlocks their device or signs in interactively, this event will satisfy the sign-in frequency policy as well. In the following two examples user sign-in frequency is set to 1 hour:

    Example 1:

    At 00:00, a user signs in to their Windows 10 Azure AD joined device and starts work on a document stored on SharePoint Online.
    The user continues working on the same document on their device for an hour.
    At 01:00, the user is prompted to sign in again based on the sign-in frequency requirement in the Conditional Access policy configured by their administrator.
    Example 2:

    At 00:00, a user signs in to their Windows 10 Azure AD joined device and starts work on a document stored on SharePoint Online.
    At 00:30, the user gets up and takes a break locking their device.
    At 00:45, the user returns from their break and unlocks the device.
    At 01:45, the user is prompted to sign in again based on the sign-in frequency requirement in the Conditional Access policy configured by their administrator since the last sign-in happened at 00:45.

    0 comments
  4. Krishna 6 Reputation points
    2021-03-02T11:01:22.413+00:00

    Hi @VipulSparsh-MSFT ,

    I think I need to clarify my use case.

    I have a custom web server (not Sharepoint or any Microsoft product) that will hold a refresh token for an end user after they've completed an auth code flow. This web server will periodically, silently obtain new access token/refresh token pairs using the prior refresh token. My question is will the call to refresh a token be rejected by Azure if the sign in frequency policy limit is hit? So far, I haven't not been noticing this behavior in my testing, so I am confused as to why.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.