Configurable token lifetimes in Azure Active Directory for my Web API

Vov4ik 6 Reputation points
2020-02-17T20:15:48.113+00:00

I need to create lifetime token for my WEB Api. I’ve used the following guide but the Policy doesn’t work. As I’ve noticed, for my Web Api the following OrganizationDefaultPolicyScenario works. I made it work by only using AzureADPolicy with setting -IsOrganizationDefault $true not $false.

My configuration:

OdataType :
AlternativeIdentifier :
Definition : {{"TokenLifetimePolicy":{"Version":1, "AccessTokenLifetime":"02:00:00"}}}
DisplayName : OrganizationDefaultPolicyScenario
IsOrganizationDefault : True
KeyCredentials : {}
Type : TokenLifetimePolicy

OdataType :
AlternativeIdentifier :
Definition : {{"TokenLifetimePolicy":{"Version":1, "AccessTokenLifetime":"08:00:00", "MaxInactiveTime":"30.00:00:00", "MaxAgeMultiFactor":"until-revoked", "MaxAgeSingleFactor":"180.00:00:00"}}}
DisplayName : WebApiDefaultPolicy
IsOrganizationDefault : False
KeyCredentials : {}
Type : TokenLifetimePolicy

PS C:\Users\1> Get-Azureadapplicationpolicy -id

Id :
OdataType : #microsoft.graph.policy
AlternativeIdentifier :
Definition : {{"TokenLifetimePolicy":{"Version":1, "AccessTokenLifetime":"08:00:00", "MaxInactiveTime":"30.00:00:00", "MaxAgeMultiFactor":"until-revoked", "MaxAgeSingleFactor":"180.00:00:00"}}}
DisplayName : WebApiDefaultPolicy
IsOrganizationDefault : False
KeyCredentials : {}
Type : TokenLifetimePolicy

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,094 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Daniel Stefaniak 6 Reputation points
    2020-02-19T00:51:55.32+00:00

    you need to assign it to a Service principal representing the resource your clients are accessing. what is your client and what API is it accessing (aka. when you are asking for an access token what is your resource parameter?)

    also token lifetimes will be gone by end of June (only Access Tokens timeouts customizations are sticking around). look at sign-in frequency in conditional access instead.

    1 person found this answer helpful.