How to set the access token lifetime for an app using the Microsoft Graph API

1
votes

I am using my B2C application's client ID and client secret to request an access token from the /oauth2/token endpoint. I am using this access token to make requests to the Microsoft Graph API. But I'd like to reduce the lifetime of the access token. By default, it is set to 60 minutes.

I tried to execute the following command in PowerShell to reduce the access token lifetime:

New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"00:10:00","MaxAgeSessionSingleFactor":"00:10:00"}}') -DisplayName "WebPolicyScenario" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"

But received the error:

New-AzureADPolicy : Error occurred while executing NewPolicy Code: Request_BadRequest Message: Configure Token Lifetime for RT/ST (Refresh/Session Token) has been retired on May 30, 2020. New policy cannot be created anymore. Refer https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes for more information

I went to the link in the error message, but still could not find out how to set the AccessTokenLifetime. I see that for refresh and session tokens, you can use conditional access policies. But I can't find any way to set the access token lifetime.

Am I missing something?

2
azuremicrosoft-graph-apiazure-ad-b2c

2 Answers

1
votes

You could use Create tokenLifetimePolicy API to create it, and refer to the properties of a token lifetime policy definition.

POST https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies

{
  "definition": [
    "{\"TokenLifetimePolicy\":{\"Version\":1,\"AccessTokenLifetime\":\"01:30:00\"}}"
  ],
  "displayName": "xxxxxx",
  "isOrganizationDefault": false
}

I tested it with Postman:

enter image description here

There is a similar issue about the error:

Configurable token lifetime feature is now replaced with Conditional Access Session Management as mentioned in the warning at below link:

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime#configuring-authentication-session-controls

Microsoft plans to retire the configurable token lifetime feature for refresh and session token lifetimes on January 30, 2021 and replace it with the Conditional Access authentication session management feature.

0
votes

Like the error states : Configure Token Lifetime for RT/ST (Refresh/Session Token) has been retired on May 30, 2020.

MaxAgeSessionSingleFactor the parameter in the definition- affects the Session tokens - Hence the error.

You could try the below :

New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"00:10:00"}}') -DisplayName "WebPolicyScenario" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"