- Token Lifetime policy is apply to resource server (e.g. backend server app registration)
- Refresh Token lifetime is not use
TokenLifeTimePolicy
to config, but use conditional accesssign-in frequency
{
"TokenLifetimePolicy": {
"Version": 1,
"AccessTokenLifetime": "00:10:00",
"MaxInactiveTime": "00:30:00",
"MaxAgeMultiFactor": "00:30:00",
"MaxAgeSingleFactor": "00:30:00"
}
}
AccessTokenLifetime | |
---|---|
min | 10 minutes |
max | 1 day |
default | 60 minutes |
Configure token lifetime for RT/ST (Refresh/Session Token) is retired, and this part will be replace with conditional access - sign-in frequency control
As of January 30, 2021 you can not configure refresh and session token lifetimes. Azure Active Directory no longer honors refresh and session token configuration in existing policies. New tokens issued after existing tokens have expired are now set to the default configuration. You can still configure access, SAML, and ID token lifetimes after the refresh and session token configuration retirement.
Existing token’s lifetime will not be changed. After they expire, a new token will be issued based on the default value.
If you need to continue to define the time period before a user is asked to sign in again, configure sign-in frequency in Conditional Access. To learn more about Conditional Access, read Configure authentication session management with Conditional Access.
Property | Policy property string | Affects | default |
---|---|---|---|
Refresh Token Max Inactive Time | MaxInactiveTime | Refresh tokens | 90 days |
Single-Factor Refresh Token Max Age | MaxAgeSingleFactor | Refresh tokens (for any users) | until revoked |
Multi-Factor Refresh Token Max Age | MaxAgeMultiFactor | Refresh tokens (for any users) | until revoked |
Single-Factor Session Token Max Age | MaxAgeSessionSingleFactor | Session tokens (persistent and nonpersistent) | Until-revoked |
Multi-Factor Session Token Max Age | MaxAgeSessionMultiFactor | Session tokens (persistent and nonpersistent) | Until-revoked |