How to create a policy to set MaxInactiveTime and MaxAgeMultiFactor of refresh tokens for a particular application

Yasitha Pandithawatta 121

I want to set MaxAgeMultiFactor to until-revoked and MaxInactiveTime to 30 days of a refresh tokens which generated against a particular app.

I was following the below two documentations.

But when try to create a policy with following definition it gives an error.

Definition: "{"TokenLifetimePolicy":{"Version":1, "MaxAgeMultiFactor":"until-revoked","MaxInactiveTime":"30.00:00:00"}}"

Error: "Configure Token Lifetime for RT/ST (Refresh/Session Token) has been retired on May 30, 2020. New policy cannot be created anymore. Refer https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes for more information"

Error contains the exact documentation I followed and I took the definition from the documentation.

How can I achive this? I am doing anything wrong here?

Is it possible to achive this using conditional access policy. How can I create a conditional policy to achive this?

Saurabh Sharma 23,751 Reputation points Microsoft Employee

2021-02-17T00:09:47.91+00:00

@Yasitha Pandithawatta Thanks for using Microsoft Q&A !!

As mentioned in the same documentation under Important Note section, you need to use the conditional access policy to configure refresh and session toke lifetimes going forward. So, you can define the policy as mentioned over here to set the MaxInactiveTime to 30 days instead of 90.
Yasitha Pandithawatta 121 Reputation points

2021-02-17T12:49:12.993+00:00

@Saurabh Sharma thanks for your response.

I have gone through the that documentation as well. I can setup a conditional policy by specifying the app and set Sign in frequency for maximun 365 days. But it's not set for until revoked. Is it not possible to set the refresh token expiry to until revoked using conditional policies? Also how this effect for the MaxInactiveTime?
Saurabh Sharma 23,751 Reputation points Microsoft Employee

2021-02-17T20:51:08.233+00:00

@Yasitha Pandithawatta ok. I am checking internally with the products team on the same and get back to you.

Accepted answer

Saurabh Sharma 23,751 Reputation points Microsoft Employee

2021-02-18T16:06:51.487+00:00

@Yasitha Pandithawatta
As mentioned in configurable token lifetimes documentation the default value of MaxAgeMultifactor for refresh tokens is until revoked. So you should not have to do anything extra.

Also, the MaxInactiveTime has been discontinued and cannot be configured.

----------

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.
Please sign in to rate this answer.
Yasitha Pandithawatta 121 Reputation points

2021-02-18T23:35:34.977+00:00

@SaurabhSharma-msf thanks for looking into this. It's true that the default MaxAgeMultifactor for refresh tokens is until revoked, but there are some customer who use our app, have another internal policies (old azure ad policies, or conditional policy) to expire the refresh tokens, so our refresh token also get expired and need to ask customers to reauthenticate frequently.

What I am trying to do is create a separate policy for our application, to force the refresh token MaxAgeMultifactor to keep until revoked. Is this possible?

Also after January 30th, did the existing ad policies discontinued and all the values are set back to default?

Saurabh Sharma 23,751 Reputation points Microsoft Employee

2021-02-19T23:32:49.33+00:00

@Yasitha Pandithawatta As mentioned in the document existing token’s lifetime will not be changed. After they expire, a new token will be issued based on the default value as mentioned here.

For the new policy you will have the MaxAgeMultifactor as default value for refresh tokens is until revoked as mentioned earlier.
Sign in to comment

How to create a policy to set MaxInactiveTime and MaxAgeMultiFactor of refresh tokens for a particular application

0 additional answers