Assigning a Token Lifetime Policy to an application in Microsoft EntraID seems to have no effect
I'm using Microsoft EntraID as an authentication provider form my web applicaiton.
By default, the JWT token that is generated by EntraID has a lifetime between 60 and 90 minutes, which is a bit too short for my requirements.
By reading the Microsoft documentation, it seems you can control the lifetime of access/id tokens by creating a TokenLifetimePolicy and then assigning it to the app registration that is used to authenticate users.
So this is what I did. First I used the powershell to create a lifetime policy with a 12 hours lifetime:
$params = @{
definition = @(
'{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"12:00:00"}}'
)
displayName = "12h_token_lifetime"
isOrganizationDefault = $false
}
New-MgPolicyTokenLifetimePolicy -BodyParameter $params
Then I assigned it to my app registration:
New-MgApplicationTokenLifetimePolicyByRef -ApplicationId XXX -OdataId "https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies/YYY"
everything seems to work well, and If I run the Get-MgApplicationTokenLifetimePolicy it reports that the policy is assigned:
However, even if the policy seems to be applied nothing has changed. When I authenticate to the service (either via Postman or my actual web app, makes no difference), I get a token with the usual lifetime in the 60-90 minutes range:
What am I missing here?
I agree with @user2250152, token lifetime policy will be applied only on resource service principals. Initially, I ran same script as you in my environment and got below results:
$params = @{
definition = @(
'{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"12:00:00"}}'
)
displayName = "12h_token_lifetime"
isOrganizationDefault = $false
}
$tokenpolicyId=(New-MgPolicyTokenLifetimePolicy -BodyParameter $params).Id
Get-MgPolicyTokenLifetimePolicy -TokenLifetimePolicyId $tokenpolicyId
Response:
Now, I assigned this policy to one application by running below command:
New-MgApplicationTokenLifetimePolicyByRef -ApplicationId appObjId -OdataId "https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies/$tokenpolicyId"
Response:
When I generated the access token with Microsoft Graph scope with this app Id, access token lifetime did not change as below:
But if you generate the access token with resource API scope of assigned application, it will give the access token having 12 hrs lifetime successfully as below:
There is an option to set the parameter IsOrganizationDefault = $true while running the script but it makes all service principals in your tenant to generate access token valid for 12 hrs no matter what scope you specify.
As mentioned here, you need to have Microsoft Entra ID P1 license to use that feature. If you are having M365 Business Standard, it's not enough and you need to update it to Microsoft 365 Business Premium.
Reference:
- Azure Webapp / Website Swap : HTTP Ping Error
- Microsoft Graph API - Update phoneMethods is no longer working
- Use Azure Key Vault secret in Header section of Web Activity
- Azure Storage blob getting the io.netty.channel.StacklessClosedChannelException while generating /downloading the from SasUrl
- How do I save and later load Azure AnalyzeResult object in python?
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Azure ADF - HTTP : Table from list
- Self hosted azure devops build agent not getting tool from $PATH
- Azure devops pipeline stages template nesting
- Azure APIM is returning the incorrect HTTP response error when call is missing mandatory querystring parameter
- Azure DevOps build pipeline logid for a specific task - dynamically
- PS script to fetch the list non-compliance resource list with respect to policy from multiple subscriptions
- Unattended authentication using Azure Active Directory- UserCredential not accepting username and password
- The type or namespace name 'Storage' does not exist in the namespace 'Microsoft.WindowsAzure'
- Azure Function App - No continuous deployment setting for "Flex Consumption" hosting plan?
- Why does my Azure App service have a very slow reponse from an endpoint?
- Creating multiple function apps with one Flex Consumption plan
- ASP.NET Core Authorization with Microsoft Entra ID
- How to get client IP address in Azure Functions C#?
- What is the difference between Azure VNET integration and VNET injection?
- unable to StartCopyFromUriAsync a blob between 2 storage accounts
- MSgraph cannot find string in attachment value using Azure Automation
- Visual Studio 2022 caches old tenant id, can't get rid of it
- Msgraph-sdk-python get sharepoint site id from name
- using multiple storage accounts locally using azurite at the same time
- Adding Graph API application permission via Terraform shows corrupted IDs instead of scope names
- Azure DevOps Wiki page usage analytics
- How to fix worker runtime metadata for Azure .net8 isolated worker model functions?
- Download attachment content using Microsoft Graph API using Java
- Is it possible to assign a Power BI Pro License to an Azure Service Principal? Deploy .bim in PBI Service without Premium Workspace