Hero Banner

Secure Application Model

Learn and ask questions on how to implement secure application model

Reply
Level 1 Contributor

Cannot change AccessTokenlifetime / bearer token / App registration / Graph API permissions

Hi,

 

I use an App registration within Azure AD with specific Graph API permissions to create and assign users and creating groups and teams and populating them with members.

 

This mostly done in large educational environments where we deal with quit some users,groups and Teams.

I am currently trying tot deliver +/-4000 users and +/- 3200 Groups and Teams.

 

The problem I encounter is that when I do an authentication request the bearer token expires after 3599 seconds. The action I am trying to execute is not finished after that and the call is aborted while not finished.

 

So i would like to change the AccessTokenlifetime on the App registration.

 

Well no problem https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes.

 

But…. This functionality was deprecated 30 may 2020… No problem this should be the alternitave …. https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes.

 

This describes that it should be done with Conditional Access policy … nice looking good …

But … seems that an App registration doesn’t apply for this solution yet… Whatever I try tot configer the bearer authentication token keeps having the same expire_in value.

 

So …. Anyone any idea how I can fix this issue ? Am I doing something wrong ?

 

Appreciate all the help !

 

Grt Eric

4 REPLIES 4
Microsoft

In my understanding the user sign in frequency policies will not help in this regard, they are not designed to extend the lifetime of the access/bearer token, but reduce the lifetime for or invalidate the (refresh) token, so e.g enforce authentication or MFA more often.

 

Is this a single action that takes over an hour? Would it be possible to re-do the creation of the token in between different steps?

 

If there are no other ideas coming up in this community, I'd advise you open an advisory request in Technical Presales & Deployment Services team

via https://aka.ms/tpdmsform

 

BR,

Janosch

 

Kind regards,
Janosch
Level 1 Contributor

Just got off the phone with MS. Seems i am not the only one with this problem. The policy method was depreceted while the new condantional access method is not working in some/most cases. They are working on a solution .... so in the mean while i am stuk with a 3599 seconds limit to do my work 😞

Microsoft

Reading your scenario again and after checking internally  - the option to configure AccessToken Lifetimes is not deprecated, this should still work - and can confirm that sing-in frequency is not for the access token, but the session token or refresh token.

 

"After May 30, 2020 no new tenant will be able to use Configurable Token Lifetime policy to configure session and refresh tokens. The deprecation will happen within several months after that, which means that we will stop honoring existing session and refresh tokens polices. You can still configure access token lifetimes after the deprecation."

Kind regards,
Janosch
Level 1 Contributor

Yes it is a single action, so a re-authenticate would not be possible within this single action . Al i want is to adjust the bearer token lifetime to 4 hours.... instead of 1 hour.

 

We are going to look to use the refresh token option but then we need to alter our software which is not a short term solution....

 

Thanks in advance !

 

Greetings Eric van Engelen