Configurable token lifetimes in Azure Active Directory for my Web API

Vov4ik 6 Reputation points
2020-02-17T20:15:48.113+00:00

I need to create lifetime token for my WEB Api. I’ve used the following guide but the Policy doesn’t work. As I’ve noticed, for my Web Api the following OrganizationDefaultPolicyScenario works. I made it work by only using AzureADPolicy with setting -IsOrganizationDefault $true not $false.

My configuration:

OdataType :
AlternativeIdentifier :
Definition : {{"TokenLifetimePolicy":{"Version":1, "AccessTokenLifetime":"02:00:00"}}}
DisplayName : OrganizationDefaultPolicyScenario
IsOrganizationDefault : True
KeyCredentials : {}
Type : TokenLifetimePolicy

OdataType :
AlternativeIdentifier :
Definition : {{"TokenLifetimePolicy":{"Version":1, "AccessTokenLifetime":"08:00:00", "MaxInactiveTime":"30.00:00:00", "MaxAgeMultiFactor":"until-revoked", "MaxAgeSingleFactor":"180.00:00:00"}}}
DisplayName : WebApiDefaultPolicy
IsOrganizationDefault : False
KeyCredentials : {}
Type : TokenLifetimePolicy

PS C:\Users\1> Get-Azureadapplicationpolicy -id

Id :
OdataType : #microsoft.graph.policy
AlternativeIdentifier :
Definition : {{"TokenLifetimePolicy":{"Version":1, "AccessTokenLifetime":"08:00:00", "MaxInactiveTime":"30.00:00:00", "MaxAgeMultiFactor":"until-revoked", "MaxAgeSingleFactor":"180.00:00:00"}}}
DisplayName : WebApiDefaultPolicy
IsOrganizationDefault : False
KeyCredentials : {}
Type : TokenLifetimePolicy

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,678 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Daniel Stefaniak 6 Reputation points
    2020-02-19T00:51:55.32+00:00

    you need to assign it to a Service principal representing the resource your clients are accessing. what is your client and what API is it accessing (aka. when you are asking for an access token what is your resource parameter?)

    also token lifetimes will be gone by end of June (only Access Tokens timeouts customizations are sticking around). look at sign-in frequency in conditional access instead.