I want to change the default token lifetimes in Azure AD as shown here, but it looks like the changes are not being applied.
I am running the following commands using the PowerShell cmdlets in the AzureAdPreview module from the PowerShell Gallery:
New-AzureADPolicy -Definition @("{`"TokenLifetimePolicy`":{`"Version`":1, `"AccessTokenLifetime`":`"10:00`",`"MaxInactiveTime`":`"10:00`",`"MaxAgeSingleFactor`":`"10:00`",`"MaxAgeMultiFactor`":`"10:00`",`"MaxAgeSessionSingleFactor`":`"10:00`",`"MaxAgeSessionMultiFactor`":`"10:00`"}}") -DisplayName AbsoluteMinimumPolicyScenario -IsOrganizationDefault $false -Type TokenLifetimePolicy
I want to set all token lifetimes to the bare-minimum 10 minutes in order to test some auth code in my web API.
I then assign this policy to my registered application in Azure AD:
Add-AzureADApplicationPolicy -ObjectId <application-object-id> -RefObjectId <policy-id>
Using Get-AzureADPolicyAppliedObject -ObjectId <policy-id> I confirm that my policy has been applied to my application...
... and yet, when I attempt to retrieve a fresh access token during login (using ADAL), I can see that the expiry date is still at the default of 1 hour.
What am I doing wrong?
First, you need to follow the format for time parameter set for 10 minutes as below.
00:10:00
Besides, in my lab, I find that the policy only can work when the parameter IsOrganizationDefault is set as $true. The policy can't be enforced even though it's explicitly assigned to the specific application or service principle.
I made it work by only using New-AzureADPolicy cmdlet and setting -IsOrganizationDefault $true not $false. The effect takes a while for you to see it. So wait for about 30 minutes to an hour (I don't know how long exactly). After that your new policy will be created and applied. Also remember that this is PowerShell, so no whitespaces in the cmdlet.
Example:
New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"02:00:00","MaxInactiveTime":"02:00:00","MaxAgeSessionSingleFactor":"02:00:00"}}') -DisplayName "PolicyScenario" -IsOrganizationDefault $true -Type "TokenLifetimePolicy"
Multi-Line version:
New-AzureADPolicy -Definition @(
'
{
"TokenLifetimePolicy":
{
"Version": 1,
"AccessTokenLifetime": "02:00:00",
"MaxInactiveTime": "02:00:00",
"MaxAgeSessionSingleFactor": "02:00:00"
}
}
'
) -DisplayName "PolicyScenario" -IsOrganizationDefault $true -Type "TokenLifetimePolicy"
Microsoft may fix the issue with IsOrganizationDefault $true. Read more on this in the question: Azure AD Configurable Token Lifetimes not being Applied.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 做自己的国王 的文章《Azure AD Configurable Token Lifetimes not being Ap》','https://www.manongdao.com/article-853989.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}