![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 28.000000000000004%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Other
Additional Microsoft Entra services and features related to identity, access, and network security
Refresh token lifetimes for Microsoft Entra ID (used behind SSO to Sophos or any other app) cannot be reduced or customized anymore. Microsoft Entra always issues refresh tokens with the platform defaults, and those values are not configurable per application.
Key points from the platform behavior:
- Default refresh token lifetimes
- 24 hours for single-page applications (redirect URI registered as
spa). - 24 hours for apps using email one-time passcode flow.
- 90 days for all other scenarios. These values apply regardless of the downstream application (such as Sophos Firewall) consuming Entra-issued tokens.
- 24 hours for single-page applications (redirect URI registered as
- Refresh token lifetime policies are retired
- Token lifetime policies for refresh tokens and session tokens are no longer honored.
- As of January 30, 2021, new refresh tokens always use the default configuration.
- Existing refresh tokens keep their original lifetime until they expire, then new ones follow the defaults.
- Only access, SAML, and ID token lifetimes remain configurable.
- What can still be controlled
- Access, SAML, and ID token lifetimes can be adjusted via configurable token lifetime policies and assigned to apps.
- To control how often users must sign in again (for SSO scenarios), use Conditional Access sign-in frequency and session management rather than trying to shorten refresh token lifetimes.
- Recommended approach for your scenario
- It is not possible to directly reduce the SSO refresh token duration for the Sophos Firewall application via Entra ID.
- To effectively shorten SSO duration for users:
- Configure sign-in frequency and session controls in Conditional Access so users are required to reauthenticate more often.
- Optionally adjust access/ID token lifetimes for the application if needed, understanding that refresh tokens will still follow platform defaults.
There is no supported way in Microsoft Entra ID to make refresh tokens themselves expire more quickly for a specific application such as Sophos Firewall.
References: