Configure token lifetime policies (preview)

You can specify the lifetime of an access, SAML, or ID token issued by Microsoft identity platform. You can set token lifetimes for all apps in your organization, for a multi-tenant (multi-organization) application, or for a specific service principal in your organization. For more info, read configurable token lifetimes.

In this section, we walk through a common policy scenario that can help you impose new rules for token lifetime. In the example, you learn how to create a policy that requires users to authenticate more frequently in your web app.

Get started

To get started, download the latest Azure AD PowerShell Module Public Preview release.

Next, run the Connect command to sign in to your Azure AD admin account. Run this command each time you start a new session.

Connect-AzureAD -Confirm

Create a policy for web sign-in

In this example, you create a policy that requires users to authenticate more frequently in your web app. This policy sets the lifetime of the access/ID tokens to the service principal of your web app.

  1. Create a token lifetime policy.

    This policy, for web sign-in, sets the access/ID token lifetime to two hours.

    To create the policy, run the New-AzureADPolicy cmdlet:

    $policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"02:00:00"}}') -DisplayName "WebPolicyScenario" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
    

    To see your new policy, and to get the policy ObjectId, run the Get-AzureADPolicy cmdlet:

    Get-AzureADPolicy -Id $policy.Id
    
  2. Assign the policy to your service principal. You also need to get the ObjectId of your service principal.

    Use the Get-AzureADServicePrincipal cmdlet to see all your organization's service principals or a single service principal.

    # Get ID of the service principal
    $sp = Get-AzureADServicePrincipal -Filter "DisplayName eq '<service principal display name>'"
    

    When you have the service principal, run the Add-AzureADServicePrincipalPolicy cmdlet:

    # Assign policy to a service principal
    Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id
    

View existing policies in a tenant

To see all policies that have been created in your organization, run the Get-AzureADPolicy cmdlet. Any results with defined property values that differ from the defaults listed above are in scope of the retirement.

Get-AzureADPolicy -All $true

To see which apps and service principals are linked to a specific policy you identified run the following Get-AzureADPolicyAppliedObject cmdlet by replacing 1a37dad8-5da7-4cc8-87c7-efbc0326cf20 with any of your policy IDs. Then you can decide whether to configure Conditional Access sign-in frequency or remain with the Azure AD defaults.

Get-AzureADPolicyAppliedObject -id 1a37dad8-5da7-4cc8-87c7-efbc0326cf20

If your tenant has policies which define custom values for the refresh and session token configuration properties, Microsoft recommends you update those policies to values that reflect the defaults described above. If no changes are made, Azure AD will automatically honor the default values.

Troubleshooting

Some users have reported a Get-AzureADPolicy : The term 'Get-AzureADPolicy' is not recognized error after running the Get-AzureADPolicy cmdlet. As a workaround, run the following to uninstall/re-install the AzureAD module and then install the AzureADPreview module:

# Uninstall the AzureAD Module
UnInstall-Module AzureAD

# Re-install the AzureAD Module
Install-Module AzureAD

# Install the AzureAD Preview Module adding the -AllowClobber
Install-Module AzureADPreview -AllowClobber

Connect-AzureAD
Get-AzureADPolicy -All $true

Next steps

Learn about authentication session management capabilities in Azure AD Conditional Access.