Skip to content

Instantly share code, notes, and snippets.

@sawaYch

sawaYch/aad-token-lifetime-payload.md

Last active December 22, 2021 04:53
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save sawaYch/2727775a5d2456adfe6d60cdeb825234 to your computer and use it in GitHub Desktop.
Save sawaYch/2727775a5d2456adfe6d60cdeb825234 to your computer and use it in GitHub Desktop.
Download ZIP
Azure AD token lifetime payload
Raw
aad-token-lifetime-payload.md

AAD Token lifetime payload

  1. Token Lifetime policy is apply to resource server (e.g. backend server app registration)
  2. Refresh Token lifetime is not use TokenLifeTimePolicy to config, but use conditional access sign-in frequency
{
  "TokenLifetimePolicy": {
    "Version": 1,
    "AccessTokenLifetime": "00:10:00",
    "MaxInactiveTime": "00:30:00",
    "MaxAgeMultiFactor": "00:30:00",
    "MaxAgeSingleFactor": "00:30:00"
  }
}

Access Token lifetime config

AccessTokenLifetime
min 10 minutes
max 1 day
default 60 minutes

Refresh Token lifetime config

Configure token lifetime for RT/ST (Refresh/Session Token) is retired, and this part will be replace with conditional access - sign-in frequency control

As of January 30, 2021 you can not configure refresh and session token lifetimes. Azure Active Directory no longer honors refresh and session token configuration in existing policies. New tokens issued after existing tokens have expired are now set to the default configuration. You can still configure access, SAML, and ID token lifetimes after the refresh and session token configuration retirement.

Existing token’s lifetime will not be changed. After they expire, a new token will be issued based on the default value.

If you need to continue to define the time period before a user is asked to sign in again, configure sign-in frequency in Conditional Access. To learn more about Conditional Access, read Configure authentication session management with Conditional Access.

Property Policy property string Affects default
Refresh Token Max Inactive Time MaxInactiveTime Refresh tokens 90 days
Single-Factor Refresh Token Max Age MaxAgeSingleFactor Refresh tokens (for any users) until revoked
Multi-Factor Refresh Token Max Age MaxAgeMultiFactor Refresh tokens (for any users) until revoked
Single-Factor Session Token Max Age MaxAgeSessionSingleFactor Session tokens (persistent and nonpersistent) Until-revoked
Multi-Factor Session Token Max Age MaxAgeSessionMultiFactor Session tokens (persistent and nonpersistent) Until-revoked

Reference: https://docs.microsoft.com/en-gb/azure/active-directory/develop/active-directory-configurable-token-lifetimes#token-lifetime-policies-for-refresh-tokens-and-session-tokens

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment