Are there any access restrictions on Client Secret Connection Type?

박효림 1 Reputation point
2021-08-12T05:20:03.263+00:00

I wonder if there are any restrictions such as limiting the number of connections for 10 minutes.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,912 questions
{count} votes

1 answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,341 Reputation points
    2021-08-13T11:02:32.363+00:00

    Hi @박효림 • Thank you for reaching out.

    By Client Secret Connection, I assume you are referring to connection established after acquiring token using Client ID and Client Secret. Correct me if I am wrong.

    If this is the case, as of now there is no option to set specific session limit/expiry for a given service principal.

    Best you can do at this time is, reducing the Access Token lifetime to 10 minutes for the resource/API you are trying to access by using Access Token acquired using Client Credentials.

    $policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"00:10:00"}}') -DisplayName "AccessTokenPolicy" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"  
      
    Get-AzureADPolicy -Id $policy.Id  
      
    # Get ID of the service principal  
    $sp = Get-AzureADServicePrincipal -Filter "DisplayName eq '<display name of resource/API service principal>'"  
      
    # Assign policy to a service principal  
    Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id  
    

    Note: With the above configuration, if you acquire a token for the given resource/API under user context (rather than client credentials), the validity of the Access Token would still be 10 min but in that case you can acquire a refresh token which will be redeemed to acquire new Access Token. However, when client credential flow is used, no refresh token is issued and new access token would need to be acquired after 10 min by making a new token acquisition call.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments