10

We use Azure AD to authenticate users into our WPF application, using their Office 365 accounts. This is done using the Active Directory Authentication Library (ADAL).

Currently, they are prompted to log in every time they open the app. We want to change this to allow logging in to the app via a cached token. This works but we want to shorten the expiration time of the token to 24 hours or less, requiring another sign in after that time has passed.

I don't see a way to manipulate the expiration of an Access Token in code. Is this something that needs to be done within Azure AD?

S-Vuk
  • 339
  • 1
  • 4
  • 14

1 Answers1

11

Summary

You cannot use ADAL to configure the expiration time of tokens. ADAL is an authentication library that helps you interact with the token service, but you can set the token lifetime configuration on your Service Principal, Application, or Tenant.

You'll need to use Powershell to create a policy describing the behavior you want, and link it to your service principal, tenant, or application. Keep in mind, if you're building a multi-tenant app, the owner of the tenant can overwrite your policy.

tl;dr: Don't rely on the token lifetime in your app as it can change at any time.

Create and set the Token Lifetime Policy

You can set these properties using Azure AD Powershell Commands. Then run the following commands to set an access token lifetime:

  1. Sign in to Powershell.

Connect-AzureAD -Confirm

  1. Create a new policy to set the Access Token lifetime to 2 hours. You can change this to be between 10 minutes and 1 day.

New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"02:00:00","MaxAgeSessionSingleFactor":"02:00:00"}}') -DisplayName "WebPolicyScenario" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"

  1. Get the policy's ObjectId.

Get-AzureAdPolicy

  1. Link the new policy to your application. You can get the objectId of your app using the GraphExplorer.

Add-AzureADApplicationPolicy -Id <ObjectId of the Application> -RefObjectId <ObjectId of the Policy>

For more examples and the full documentation, check out Azure AD Configurable Token Lifetime.

Lauren Rutledge
  • 1,195
  • 5
  • 18
  • 27
Daniel Dobalian
  • 3,129
  • 2
  • 15
  • 28
  • Sounds like exactly what we need. I'll mark this as the answer for now and will comment back if something doesn't work, but I imagine it should. Thanks – S-Vuk Oct 20 '17 at 19:13
  • @S-Vuk let me know if you have any hiccups! – Daniel Dobalian Oct 23 '17 at 02:56
  • @DanielDobalian are you aware of a way to do this without powershell? – Martin Peck Mar 01 '19 at 08:18
  • 1
    @MartinPeck these PowerShell scripts call the Azure AD Graph API, so I believe you can do it directly against the API. If you're looking for some UI, I think the [Azure AD Graph Explorer](https://graphexplorer.azurewebsites.net/) will help! – Daniel Dobalian Mar 07 '19 at 00:43
  • Just tried this, with PowerShell throwing an error saying it's retired 30th May. Info [here](https://learn.microsoft.com/en-au/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime#configuring-authentication-session-controls) suggests that 'configurable token lifetime' feature is now replaced with the 'Conditional Access authentication session management'. However, this is a premium Azure AD feature. Does anyone know how to configure a token so it's default of 1 hour can be over-ridden on a pleb (free ) AD tenant? Thanks! – fuzzy_logic Jun 25 '20 at 02:59