Azure AD Token Expiration Time Configuration and Best Practices

Configuring Azure AD token expiration time is crucial for maintaining security and user experience. The default token expiration time is 1 hour, but this can be adjusted to meet specific needs.

The maximum token expiration time is 14 days, which can be set using the "tokenLifetime" parameter in the Azure AD configuration. This setting applies to all users and applications.

To avoid token expiration issues, it's essential to understand how Azure AD handles token renewal. The service automatically refreshes tokens before they expire, ensuring seamless access to resources.

However, token renewal can fail if the user's device is offline or has a poor internet connection. This is where the "tokenLifetime" parameter comes into play, allowing administrators to set a longer expiration time to accommodate such scenarios.

Token expiration time is a crucial setting in Azure Active Directory (Azure AD) that determines how long a token remains valid before it expires. By default, tokens are valid for 90 days.

You can change the token expiration time by creating a new token lifetime policy. To do this, you need to connect to your Azure AD tenant using the Azure AD PowerShell module. Once connected, you can check if there are any existing token lifetime policies defined.

If you want to change the default policy for new tenants, you can create a new policy with the desired settings. For example, you can set the refresh token inactivity to 90 days, and the single/multi-factor refresh token max age to "until-revoked".

Here's a list of the default token lifetime settings for new tenants:

If you have an existing old tenant, you can create a new policy that reflects the old default settings. For example, you can set the refresh token inactivity to 14 days, and the single/multi-factor refresh token max age to 90 days.

To update any existing organization default token lifetime policy, you can use the `Set-AzureADPolicy` cmdlet. This will update the policy with the new settings, but will not affect any existing tokens that have already been issued.

It's worth noting that you can also use the `Get-AzureADPolicy` cmdlet to view the existing token lifetime policies and settings. This can be useful for troubleshooting or auditing purposes.

You can use the following cmdlets to manage policies: New-MgPolicyTokenLifetimePolicy creates a new policy, Get-MgPolicyTokenLifetimePolicy gets all token lifetime policies or a specified policy, Update-MgPolicyTokenLifetimePolicy updates an existing policy, and Remove-MgPolicyTokenLifetimePolicy deletes the specified policy.

These cmdlets are useful for managing token lifetime policies, which can be set for access, SAML, and ID tokens. You can set token lifetime policies using the New-MgPolicyTokenLifetimePolicy cmdlet.

To link a policy to an application, use the New-MgApplicationTokenLifetimePolicyByRef cmdlet. To get the policies assigned to an application, use the Get-MgApplicationTokenLifetimePolicyByRef cmdlet. To remove a policy from an application, use the Remove-MgApplicationTokenLifetimePolicyByRef cmdlet.

These cmdlets are part of the Azure AD management API and can be used to manage token lifetime policies for your applications.

Here is a summary of the cmdlets:

Azure AD supports configurable token lifetimes, which can be set to a longer lifetime than the default 60-90 minutes. This can be achieved through a token lifetime policy, which is a type of policy object that contains token lifetime rules.

The default lifetime value can be modified to suit organizational needs, but it's essential to note that all new access tokens will respect the new value. This means that it's not possible to set a new value for clients for non-CAE compatible clients and for CAE compatible clients on the other hand.

Token lifetime policies can be created via PowerShell, and they can be applied either by default to all applications or to a specific application. The creation of a token lifetime policy is done via PowerShell today.

To modify the default token lifetime, you'll need to define a token policy and apply it to the desired applications. This can be done using the following properties:

It's worth noting that creating a token lifetime policy with a new default lifetime for the organization works, but increasing token lifetime in this manner is not something to do on a whim. It would be better to assign a token lifetime policy only to the apps that need to use extended token lifetimes.

To control session lifetimes, you should use conditional access policies to impose a sign-in frequency based on populations, services, and context.

Using conditional access policies allows you to tailor your sign-in frequency to specific groups of users or administrators, and even to different services and contexts.

Impose a default sign-in frequency to ensure that users are periodically required to sign in, even if they're not using conditional access policies.

This helps prevent long sessions that could potentially expose your organization to security risks.

Leave the Keep me sign-in option available for users, but make them aware of its implications.

This allows users to choose whether or not to stay signed in, while still educating them about the potential security risks.

Enable Continuous Access Evaluation, using IP named locations instead of Trusted IP.

This feature helps to continuously evaluate the user's access and session status, even after they've initially signed in.

Disable resilience defaults durations for the most sensitive accesses to minimize the risk of unauthorized access.

Here are the best practices to control session lifetimes in a concise list:

Azure AD PowerShell and API can be used to manage Azure Active Directory, including token expiration times.

You can use the Azure AD PowerShell module to check the token expiration time for a user. For example, you can use the Get-AzureADUser cmdlet to retrieve a user's token expiration time.

Azure AD API can also be used to manage token expiration times. The Azure AD Graph API, for instance, allows you to retrieve a user's token expiration time using the GET /users/{id}/tokenProperties request.

Azure AD PowerShell and API can be used to configure token renewal policies. For example, you can use the Set-AzureADPolicy cmdlet to configure a token renewal policy using Azure AD PowerShell.