Azure AD refresh token doesn't seem to expire even when token policy is set

Question

I have tried going into the Azure Portal PowerShell and created this default token policy. By setting the refresh token max age to 12 minutes. But it seems like I can still use the refresh token to get a new access token through the POST /token endpoint after 15mins(more than the MaxInactiveTime of 11min).

I know the policy is being applied because newly issued access token is using the new policy defined lifetime (10mins). It's just that the new refresh token lifetime is not being applied

AzureAdTokenPolicy

  New-AzureADPolicy -DisplayName OrganizationDefaultPolicyScenario -Definition @('{  
   "TokenLifetimePolicy":{  
      "Version":1,
      "MaxAgeSingleFactor":"00:12:00",
      "AccessTokenLifetime":"00:10:00",
      "MaxInactiveTime":"00:11:00",
      "MaxAgeSessionSingleFactor":"00:12:00",
      "MaxAgeSessionMultiFactor":"00:12:00",
      "MaxAgeMultiFactor":"00:12:00"
   }
}') -IsOrganizationDefault $true -Type "TokenLifetimePolicy"

Answer 1

I think this behaviour is by design: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes

Token lifetimes with confidential client refresh tokens

Confidential clients are applications that can securely store a client password (secret). They can prove that requests are coming from the secured client application and not from a malicious actor. For example, a web app is a confidential client because it can store a client secret on the web server. It is not exposed. Because these flows are more secure, the default lifetimes of refresh tokens issued to these flows is until-revoked, cannot be changed by using policy, and will not be revoked on voluntary password resets.

So if your Azure AD application is registered as a "Web app / API" (Legacy registrations blade) or "Web" (New registrations blade) application, it is considered "confidential client" and being issued non-expiring refresh tokens.