question

MulderSidney-6129 avatar image
0 Votes"
MulderSidney-6129 asked saldana-msft edited

How and where are issued tokens saved within AzureAD

Greetings,

We have a concerned manager asking us question about access and refresh token issued by AzureAD.

We have created an app that gives people the ability to check settings stored in an other system.
The developers of the app have given us the ability to sign in and out off the app on the device used, by removing the access and refresh tokens stored on the device. By removing the tokens on the device the manager in concerned that the stored (refresh) tokens (in AzureAD) can be misused by other people. The concern is more for the refresh token than the access token because the access token is far more short lived.

I was asked to make sure those tokens can not be retrieved or misused but I can't find any documentation about how the refresh tokens are stored within AzureAD.
I thought the tokens might be stored hashed within AzureAD (just like passwords) so the information could not be retrieved but I can't be sure.

Is there any documentation about this subject anybody can point me to?
I did find documentation about lifetime but not about method of storage.

Your help is much appreciated.

Regards, Sidney

azure-active-directorymicrosoft-graph-identityazure-ad-authentication-protocols
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered MulderSidney-6129 commented

Hi @MulderSidney-6129 · Thank you for reaching out.

Azure AD doesn't store any tokens and AFAIK, no STS stores token. Tokens are always stored in the application storage/cache. These tokens are presented to Azure AD for validation. When you redeem the refresh token to acquire a new Access token, Azure AD validates the integrity/signatures, validity etc. of the refresh token and once all the validation checks are passed, it returns new Access token.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @amanpreetsingh-msft Thanks for the clarification.
That was exactly the information I was looking for.

0 Votes 0 ·