Configuring Token Lifetimes in Azure Active Directory

FlexNet Manager Suite 2020 R2 (On-Premises)

This section is for Microsoft Azure AD administrators who may want to configure the lifetimes of refresh tokens and access tokens issued by Azure Active Directory. If your organization already have these set, these steps are not necessary.

FlexNet Beacon uses an Microsoft Azure Active Directory (AAD) native app for authentication when using Microsoft 365 inventory connections. A customer has an option to use the Flexera-created native app for this authentication or they can create their own.

When the authentication is complete and a user consents to access to the resource (Microsoft Graph) with read only permissions, the Azure AD generates and sends two tokens: a refresh token and an access token. These tokens are specific to the user, resource, and permissions. The refresh token is used to authenticate further in the future without a need to login while the access token is a session token. Typically, a refresh token is saved and is used first in every session to generate a new access token, once the access token is generated, it is then used in following calls within that session.

Since these tokens can be used anytime without a need for a user to manually login, Azure AD allows to configure the lifetime for such tokens. After a refresh token is expired, a user must login and consent access to resource and permissions to get a new refresh token generated. After an access token is expired, an app can use a valid refresh token to get a new access token.

The configuration of these tokens lifetime is an Azure AD functionality and is applied to all applications in that tenant. To configure these tokens, an Azure AD administrator must have the Azure AD PowerShell module installed. For more information these tokens, their default values and configuration, see https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes.

To configure the refresh token and an access token lifetimes, an Azure AD administrator opens an elevated PowerShell prompt (run as administrator) and performs the following PowerShell commands (shown in codeboxes in these steps):

Install the Azure AD PowerShell module:
```
Install-Module AzureADPreview
```
Connect to Azure AD:
```
Connect-AzureAD
```

Check if you already have a token lifetime policy:

$defaultTokenPolicy = Get-AzureADPolicy | Where-Object {$_.Type -eq "TokenLifetimePolicy" -and
$_.IsOrganizationDefault -eq $true}

Check whether a token policy exists:
```
$defaultTokenPolicy
```
If a token policy exists, the previous command returns an object; otherwise, a blank. If a value is returned, you may want to examine the current token policies by entering the following:.
```
$defaultTokenPolicy.Definition
```
If a policy exists, it is returned. The following shows an example policy returned:
```
PS C:\WINDOWS\system32> $defaultTokenPolicy.Definition
{
    "TokenLifetimePolicy":
    {
        "Version":1,
        "AccessTokenLifetime":"0.00:10:00",
        "MaxInactiveTime":"90.00:00:00",
        "MaxAgeSingleFactor":"until-revoked",
        "MaxAgeMultiFactor":"until-revoked",
        "MaxAgeSessionSingleFactor":"until-revoked",
        "MaxAgeSessionMultiFactor":"until-revoked"
    }
} 
```
The AccessTokenLifetime in the above example is set to 10 minutes which means that once an access token is generated, it remains active for ten minutes, after which the app must retrieve another generated access token. The MaxInactiveTime is set to 90 days which means that a refresh token expires after 90 days of inactivity. The MaxAgeSingleFactor and MaxAgeMultiFactor are also related to refresh token and define the maximum lifetime of a refresh token, based on the single or multi-factor authentication setting of your organization.

If you want to add or update your Azure AD token lifetime settings, you need to decide on the new settings and execute following (updating the lifetimes as you wish):

$newTokenPolicy = @('{
    "TokenLifetimePolicy":
    {
        "Version":1,
        "AccessTokenLifetime":"0.01:00:00",
        "MaxInactiveTime":"90.00:00:00",
        "MaxAgeSingleFactor":"until-revoked",
        "MaxAgeMultiFactor":"until-revoked",
        "MaxAgeSessionSingleFactor":"until-revoked",
        "MaxAgeSessionMultiFactor":"until-revoked"
    }
}’)

Now, if you did not have a token policy, execute the following.

New-AzureADPolicy -Type "TokenLifetimePolicy" -DisplayName "OrganizationDefaultPolicyScenario" 
-IsOrganizationDefault $true -Definition $newTokenPolicy

And if you had a token policy, execute the following cmd to update it.

Set-AzureADPolicy -Id $defaultTokenPolicy.Id -DisplayName "OrganizationDefaultPolicyUpdatedScenario" 
-Definition $newTokenPolicy

To validate that the policy has been applied correctly, execute step 3 through 5.

FlexNet Manager Suite (On-Premises)

2020 R2