Configuring Token Lifetimes in Azure Active Directory

FlexNet Manager Suite (Cloud)

This section is for Microsoft Azure AD administrators who may want to configure the lifetimes of refresh tokens and access tokens issued by Azure Active Directory. If your organization already have these set, these steps are not necessary.

FlexNet Beacon uses an Microsoft Azure Active Directory (AAD) native app for authentication when using Microsoft 365 inventory connections. You have a choice of whether to use the Flexera-created multi-tenant app for this authentication, or to create your own single-tenant app.
Tip: The following discussion does not apply to a single-tenant app using a client secret.

When the authentication is complete and a user consents to access to the resource (Microsoft Graph) with read only permissions, the Azure AD generates and sends two tokens: a refresh token and an access token. These tokens are specific to the user, resource, and permissions. The refresh token is used to authenticate further in the future without a need to login while the access token is a session token. Typically, a refresh token is saved and is used first in every session to generate a new access token, once the access token is generated, it is then used in following calls within that session.

Since these tokens can be used anytime without a need for a user to manually login, Azure AD allows you to configure the lifetime for such tokens. After a refresh token expires, a user must login and consent to access to resources and permissions to get a new refresh token generated. After an access token expires, an app can use a valid refresh token to get a new access token.

The configuration of these tokens' lifetime is an Azure AD functionality and is applied to all applications in that tenant. To configure these tokens, an Azure AD administrator must have the Azure AD PowerShell module installed. For more information about these tokens, their default values and configuration, see https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes.

To configure lifetimes for the refresh token and an access token:

  1. Run PowerShell as an administrator.
  2. Install the Azure AD PowerShell module:
    Install-Module AzureADPreview
  3. Connect to Azure AD:
    Connect-AzureAD
  4. Check if you already have a token lifetime policy:
    $defaultTokenPolicy = Get-AzureADPolicy | Where-Object {$_.Type -eq "TokenLifetimePolicy" -and
    $_.IsOrganizationDefault -eq $true}
  5. Check whether a token policy exists:
    $defaultTokenPolicy
  6. If a token policy exists, the previous command returns an object; otherwise, a blank. If a value is returned, you may want to examine the current token policies by entering the following:.
    $defaultTokenPolicy.Definition
  7. If a policy exists, it is returned. The following shows an example policy returned:
    PS C:\WINDOWS\system32> $defaultTokenPolicy.Definition
    {
        "TokenLifetimePolicy":
        {
            "Version":1,
            "AccessTokenLifetime":"0.00:10:00",
            "MaxInactiveTime":"90.00:00:00",
            "MaxAgeSingleFactor":"until-revoked",
            "MaxAgeMultiFactor":"until-revoked",
            "MaxAgeSessionSingleFactor":"until-revoked",
            "MaxAgeSessionMultiFactor":"until-revoked"
        }
    } 
    The AccessTokenLifetime in the above example is set to 10 minutes which means that once an access token is generated, it remains active for ten minutes, after which the app must retrieve another generated access token. The MaxInactiveTime is set to 90 days which means that a refresh token expires after 90 days of inactivity. The MaxAgeSingleFactor and MaxAgeMultiFactor are also related to refresh token and define the maximum lifetime of a refresh token, based on the single or multi-factor authentication setting of your organization.
  8. If you want to add or update your Azure AD token lifetime settings, you need to decide on the new settings and execute following (updating the lifetimes as you wish):
    $newTokenPolicy = @('{
        "TokenLifetimePolicy":
        {
            "Version":1,
            "AccessTokenLifetime":"0.01:00:00",
            "MaxInactiveTime":"90.00:00:00",
            "MaxAgeSingleFactor":"until-revoked",
            "MaxAgeMultiFactor":"until-revoked",
            "MaxAgeSessionSingleFactor":"until-revoked",
            "MaxAgeSessionMultiFactor":"until-revoked"
        }
    }’)
  9. Now, if you did not have a token policy, execute the following.
    New-AzureADPolicy -Type "TokenLifetimePolicy" -DisplayName "OrganizationDefaultPolicyScenario" 
    -IsOrganizationDefault $true -Definition $newTokenPolicy
  10. And if you had a token policy, execute the following command to update it.
    Set-AzureADPolicy -Id $defaultTokenPolicy.Id -DisplayName "OrganizationDefaultPolicyUpdatedScenario" 
    -Definition $newTokenPolicy
  11. To validate that the policy has been applied correctly, execute steps 3 through 5.

FlexNet Manager Suite (Cloud)

Current