Configuring Azure AD Access token lifetime policy for an app using powershell doesn't work

Question

We're trying to configure access token expiry time to 8 hours using below powershell cmdlets, but it's not getting enforced on application. It works when applied at org. level (i.e. -IsOrganizationDefault $true).

New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"08:00:00"}}') -DisplayName $policyName -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
 
$app = Get-AzureADApplication -Filter "DisplayName eq '$applicationName'"

Add-AzureADApplicationPolicy -Id $app.ObjectId -RefObjectId $policy.Id

Reference : https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes

*NOTE : After May 30, 2020 no new tenant will be able to use Configurable Token Lifetime policy to configure session and refresh tokens. However, You can still configure access token lifetimes after the deprecation.

Need help in configuring access token expiry time to 8 hrs for an oAuth/OIDC app in Azure AD (Default is 1 hr).

Answer 1

This is a late answer. Hope it helps late-comers like me.

The token lifetime policy is not based on the AAD App registration (service principle/ enterprise application) that is being used to request the resource. But it applies to the resource you're trying to access. So the resource needs to have the lifetime token policy, not the AAD app registration (service principle/ enterprise application) that has the permissions.

For example, I have a React frontend, making API calls to a backend, both are registered on Azure AD as 2 separate apps. When users login via the frontend, they will be issued an Id Token (from the service principle for the frontend) and an access token (from the service principle for the backend)

Your PowerShell cmd would create an 8-hour long token. If I apply it the frontend, the id token would last 8 hours. Similarly, if apply to the backend, the access token to the server will last 8 hours.

This is MSFT tutorial to extend the token lifetime policy and apply to service principles. Note that the token lifetime must be under 24 hours to be valid.

https://learn.microsoft.com/en-us/azure/active-directory/develop/configure-token-lifetimes#create-a-policy-for-web-sign-in

Answer 2

Per my test, it just works with the -IsOrganizationDefault $true currently, no matter use Add-AzureADServicePrincipalPolicy or Add-AzureADApplicationPolicy, if -IsOrganizationDefault $false, both not work.

Currently, the Configure Token Lifetime policy feature is still in preview. I think this feature may not be fully implemented yet, which has caused problems. Microsoft should implement it in the future.