question

KevinAzure avatar image
KevinAzure asked ·

Azure AD - MSAL - ID Token - Timeout - acquireTokenSilent() ISSUE

I am using Angular 8 App with MSAL 0.1.4 to authenticate through Azure AD.

The first time user is prompted with Login & I get back the ID Token.
I call the API with ID Token and all are well!

After an hour the ID Token is expiring & API calls are failing!

I resolved it with acquireTokenSilent() passing the Client ID as the scope parameter.
I get the new ID Token and my API calls are succeeding!

Now after 1 Hour 40 minutes there is a new ERROR coming..

  • Error when acquiring token for scopes: guid-guid-guid AADSTS70044: The session has expired or is invalid based on conditional access policy.

  • interaction_required; Error description:AADSTS70044: The session has expired or is invalid based on conditional access policy.

  • Error when acquiring token for scopes: 5669c008-20c0-4118-8f45-6e98c8d8fa76 AADSTS70044: The session has expired or is invalid based on conditional access policy.

What should be the solution in client-side Angular code?
What should be the solution in server-side AAD configuration?

Am I using it correctly OR should i use Access Token instead of ID Token?

Please advice.

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
amanpreetsingh-msft answered ·

@KevinAzure Based on the error that you have shared it appears to be due to session control configuration in Conditional Access Policy.

If you navigate to Azure Portal > Azure Active Directory > Security > Conditional Access > Policies > Your_CA_Policy > Session, you can see the sign-in frequency configuration where you can configure time period before a user is asked to sign-in again when attempting to access a resource. The default setting is a rolling window of 90 days, i.e. users will be asked to re-authenticate on the first attempt to access a resource after being inactive on their machine for 90 days or longer. The value can be 1 -23 hours or 1-365 days.

Note: If you have multiple Conditional Access policies, you may consider using whatif tool under conditional access policy blade to narrow down the number of policies which are taking effect.


Please "Accept as answer" wherever the information provided helps you to help others in the community.


Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.