Access Token Lifetimes

sujith reddy komma 76 Reputation points
2019-12-30T09:45:33.04+00:00

Hi,

I want to increase the Access token lifetime to one day.I used the poilcy like below
New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"23:59:59","MaxAgeSessionSingleFactor":"23:59:59"}}') -DisplayName "AzureAPIMAccessTokenPolicy" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"

Then i have added to my app

Add-AzureADApplicationPolicy -Id XXXX-RefObjectId XXX

But when i generate the token using the below

https://login.microsoftonline.com/XXXX/oauth2/token

it still expires in 1hr.

i Have waited for more than 2 hrs.

Can you Please help me with this?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,752 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,450 questions
{count} votes

Accepted answer
  1. soumi-MSFT 11,761 Reputation points Microsoft Employee
    2019-12-31T21:47:40.503+00:00

    @sujith reddy komma ,

    I tested the process in my lab and it works for me.

    Policy Created using the PS Cmdlet:

        Set-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"23:00:00"}}') -Id "b477b9f2-3f7d-4ccf-a702-1af7224a8016" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"  
      
    PS C:\windows\system32> $policyID = "b477b9f2-3f7d-4ccf-a702-1af7224a8016"  
    PS C:\windows\system32> $sp = Get-AzureADServicePrincipal -SearchString "Access"  
      
    PS C:\windows\system32> Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policyID  
    PS C:\windows\system32> Get-AzureADServicePrincipalPolicy -Id $sp.ObjectId  
      
    Id                                   DisplayName                       Type                IsOrganizationDefault  
    --                                   -----------                       ----                ---------------------  
    b477b9f2-3f7d-4ccf-a702-1af7224a8016 ExtendedAccessTokenLifetimePolicy TokenLifetimePolicy False  
    

    After that I tried getting an Access Token from Azure AD using the Authorization Code Grant Flow of OAuth2.0 protocol and got the token with the following lifetime mentioned:

    alt text

    Note: Inorder for this AzureADPolicy to work and provide you desired access token's lifetime, you need to keep in mind that when you make a request for the token by reaching the token endpoint of AzureAD, in the request body, for the resource parameter, you need to specify the "App ID" on whose corresponding Service Principal you have attached this Azure AD Policy.

    alt text

    Note: This custom lifetime for Access Tokens, cant be set for first party resources like Graph API etc.

    Hope this helps.

    1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
  1. theodorbrander 56 Reputation points
    2019-12-30T10:14:27.793+00:00

    I assume you followed this guidance?
    Below is the code snippets to create a policy. Just validate that it is created.

    $policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"02:00:00","MaxAgeSessionSingleFactor":"02:00:00"}}') -DisplayName "WebPolicyScenario" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"  
    
    Get-AzureADPolicy -Id $policy.Id  
    
    # Get ID of the service principal  
    $sp = Get-AzureADServicePrincipal -Filter "DisplayName eq ''"  
    
    
    # Assign policy to a service principal  
    Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id  
    
    0 comments No comments

  2. sujith reddy komma 76 Reputation points
    2019-12-30T18:46:09.977+00:00

    Hi,

    @soumi-MSFT @theodorbrander

    Thanks for the above

    I just want to increase the Access token lifetime of the APP that i created in Azure Active Directory

    the policy has bee created.i can verify that

    but when i run Get-AzureADServicePrincipal or Get-AzureADApplication neither this app or its object ID is visible in it. Is ti mandatory to create it at the Service Principal? How can i find my Servie Principal associated to this app? This policy has to be only assicated to one App registration which i created in the Azure Active DIrectory? is it posssible ?

    How can i create it?


  3. sujith reddy komma 76 Reputation points
    2019-12-31T06:05:46.047+00:00

    Hi Soumi,

    I tried with the object ID i have to get the Service Principal like below

    Get-AzureADServicePrincipal -ObjectId

    But i am not able to fetch it

    I have created my app in the portal and got the object ID from it.

    Do i need to add any permissions ?