A change in the token lifetime in #AzureAD

September 1, 2017 Chris Spanougakis No comments exist

 

Another change these days, but only for new AD tenants. In fact, the default settings for Azure AD refresh tokens is now changed. This is because refresh token expirations seemed to frustrate some users, especially for those of them that haven’t been actively authenticating their clients. It’s obvious that Microsoft tried to eliminate unnecessary signin prompts while maintaining high level of security.

So the new settings for new tenants are:

  • Refresh Token Inactivity: 90 Days
  • Single/Multi factor Refresh Token Max Age: until-revoked
  • Refresh token Max Age for Confidential Clients: until-revoked

It’s also noted that you have the option to override these settings when needed.

If you want to learn more about how Azure AD tokens work, you can check this article here. As you can see, there are multiple types of tokens, and you should know that, although the refresh tokens now last longer, access tokens still expire on much shorter time frames.

 

How can you change the settings related to the token lifetime

1. Download the latest Azure AD PowerShell Module Public Preview release.

2. Run the Connect command to sign in to your Azure AD admin account:

connect-azuread –confirm

3. To see all policies that have been created in your organization, run the following command:

get-azureadpolicy

1

 

4. To create the policy, run the following command:

New-AzureADPolicy -Definition @(‘{“TokenLifetimePolicy”:{“Version”:1,”MaxInactiveTime”:”14.00:00:00″,”MaxAgeSingleFactor”:”90.00:00:00″,”MaxAgeMultiFactor”:”90.00:00:00″,”MaxAgeSessionSingleFactor”:”until-revoked”,”MaxAgeSessionMultiFactor”:”until-revoked”}}’) -DisplayName “OrganizationDefaultPolicyScenario” -IsOrganizationDefault $true -Type “TokenLifetimePolicy”

 

More details can be found here.

 

You can also revoke a user’s refresh token:

  • Download the latest Azure AD PowerShell V1 release.
  • Run the Connect command to sign in to your Azure AD admin account. Run this command each time you start a new session:

    Connect-msolservice

  • Set the StsRefreshTokensValidFrom parameter using the following command:

    Set-MsolUser -UserPrincipalName <UPN of the User> -StsRefreshTokensValidFrom (“<current date>”)

     

    Thanks for your time!

  • Leave a Reply

    Your email address will not be published. Required fields are marked *