question

07240970 avatar image
0 Votes"
07240970 asked RakeshJagatap-4451 commented

Are there any access restrictions on Client Secret Connection Type?


I wonder if there are any restrictions such as limiting the number of connections for 10 minutes.

azure-ad-authentication
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, if the posted answer resolves your question, please mark it as the answer by clicking the check mark. Doing so helps others find answers to their questions.

0 Votes 0 ·

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered

Hi @07240970 • Thank you for reaching out.

By Client Secret Connection, I assume you are referring to connection established after acquiring token using Client ID and Client Secret. Correct me if I am wrong.

If this is the case, as of now there is no option to set specific session limit/expiry for a given service principal.

Best you can do at this time is, reducing the Access Token lifetime to 10 minutes for the resource/API you are trying to access by using Access Token acquired using Client Credentials.

 $policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"00:10:00"}}') -DisplayName "AccessTokenPolicy" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
    
 Get-AzureADPolicy -Id $policy.Id
    
 # Get ID of the service principal
 $sp = Get-AzureADServicePrincipal -Filter "DisplayName eq '<display name of resource/API service principal>'"
    
 # Assign policy to a service principal
 Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id

Note: With the above configuration, if you acquire a token for the given resource/API under user context (rather than client credentials), the validity of the Access Token would still be 10 min but in that case you can acquire a refresh token which will be redeemed to acquire new Access Token. However, when client credential flow is used, no refresh token is issued and new access token would need to be acquired after 10 min by making a new token acquisition call.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.