Azure Question posted in
The official documentation to get you started can be found here.

Azure – Assigning a Token Lifetime Policy to an application in Microsoft EntraID seems to have no effect

I’m using Microsoft EntraID as an authentication provider form my web applicaiton.

By default, the JWT token that is generated by EntraID has a lifetime between 60 and 90 minutes, which is a bit too short for my requirements.

By reading the Microsoft documentation, it seems you can control the lifetime of access/id tokens by creating a TokenLifetimePolicy and then assigning it to the app registration that is used to authenticate users.

So this is what I did. First I used the powershell to create a lifetime policy with a 12 hours lifetime:

$params = @{
    definition = @(
        '{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"12:00:00"}}'
    )
    displayName = "12h_token_lifetime"
    isOrganizationDefault = $false
}
New-MgPolicyTokenLifetimePolicy -BodyParameter $params

Then I assigned it to my app registration:

New-MgApplicationTokenLifetimePolicyByRef -ApplicationId XXX -OdataId "https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies/YYY"

everything seems to work well, and If I run the Get-MgApplicationTokenLifetimePolicy it reports that the policy is assigned:

enter image description here

However, even if the policy seems to be applied nothing has changed. When I authenticate to the service (either via Postman or my actual web app, makes no difference), I get a token with the usual lifetime in the 60-90 minutes range:

enter image description here

What am I missing here?

Tags:

2

Answers


  1. 0

    What I remember the token lifetime policy set by New-MgApplicationTokenLifetimePolicyByRef is not based on the Entra application used to request the resource, but on the API resource your application is trying to access.

    For example, when an application registered in Entra has API permissions defined for the Graph API, then the token lifetime policy must be assigned to the service principal related to the Graph API.

    Login or Signup to reply.
  2. 0

    I agree with @user2250152, token lifetime policy will be applied only on resource service principals. Initially, I ran same script as you in my environment and got below results:

    $params = @{
    definition = @(
        '{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"12:00:00"}}'
    )
    displayName = "12h_token_lifetime"
    isOrganizationDefault = $false
}

$tokenpolicyId=(New-MgPolicyTokenLifetimePolicy -BodyParameter $params).Id

Get-MgPolicyTokenLifetimePolicy -TokenLifetimePolicyId $tokenpolicyId

    Response:

    enter image description here

    Now, I assigned this policy to one application by running below command:

    New-MgApplicationTokenLifetimePolicyByRef -ApplicationId appObjId -OdataId "https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies/$tokenpolicyId"

    Response:

    enter image description here

    When I generated the access token with Microsoft Graph scope with this app Id, access token lifetime did not change as below:

    enter image description here

    But if you generate the access token with resource API scope of assigned application, it will give the access token having 12 hrs lifetime successfully as below:

    enter image description here

    There is an option to set the parameter IsOrganizationDefault = $true while running the script but it makes all service principals in your tenant to generate access token valid for 12 hrs no matter what scope you specify.

    As mentioned here, you need to have Microsoft Entra ID P1 license to use that feature. If you are having M365 Business Standard, it’s not enough and you need to update it to Microsoft 365 Business Premium.

    Reference:

    Assigning token lifetime policy to app registration Microsoft Graph. – Microsoft Q&A by Fabio Andrade

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search