Reputation: 101
How to fix 'Policy operations on v2 application are disabled' in AzureADPreview Windows PowerShell
I have registered a multi-tennant app in Azure AD and I would like to extend the lifetime of the access and refresh tokens the users who sign into my app receive. Despite creating a default policy for tokens, the access token my user receives is 1 hour.
The policy I have created is:
New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"23:00:00","MaxInactiveTime":"90.00:00:00","MaxAgeSingleFactor":"until-revoked","MaxAgeMultiFactor":"until-revoked","MaxAgeSessionSingleFactor":"until-revoked","MaxAgeSessionMultiFactor":"until-revoked"}}') -DisplayName "OrganizationDefaultPolicyScenario" -IsOrganizationDefault $true -Type "TokenLifetimePolicy"
Considering how my policy is probably not being applied to users who sign in from other tenants, I tried applying it specifically to my app using:
Add-AzureADApplicationPolicy -Id -RefObjectId but I was presented the error:
Add-AzureADApplicationPolicy : Error occurred while executing AddApplicationPolicy
Code: Request_BadRequest
Message: Policy operations on v2 application are disabled.
InnerError: RequestId: ... DateTimeStamp: Mon, 02 Sep 2019 20:39:54 GMT HttpStatusCode: BadRequest HttpStatusDescription: Bad Request HttpResponseStatus: Completed At line:1 char:1 + Add-AzureADApplicationPolicy -Id ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Add-AzureADApplicationPolicy], ApiException + FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.AddApplica tionPolicy
Upvotes: 1
Views: 594
Answers (2)
Reputation: 5294
Application for any tenant will not be able to add the Azure AD Policy, this issue needs to be considered as by design since the Azure AD Policy is considered a v1 policy and this can’t be applied on a V2 application.
Here is the response on the question:
Some policies are blocked for converged Applications, since they are not supported by MSA (Microsoft Account) and Azure AD.
The Configurable Token Lifetime will be deprecated later this year and replaced by an new feature for Conditional Access policy.
So, we are not planning to invest into Configurable Token Lifetime to discourage taking dependencies with it.
In the second paragraph noted as important the configurable token lifetime policy will be deprecated, please check the information bellow:
Hope it helps.
Upvotes: 2
Related Questions
- Access token not working Azure AD custom policy
- Error occurred while executing GetServicePrincipalOAuth2PermissionGrants
- Azure AD Powershell : Grant consent failed with error: Application is requesting permissions that are either invalid or out of date
- Access token validation failure. Invalid audience requesting AzureADPolicies
- Get-AzureKeyVaultSecret : Operation returned an invalid status code 'Forbidden'
- Add-AzureADApplicationPolicy: Error occurred while executing AddApplicationPolicy (Request_ResourceNotFound)
- Custom Policies: Application has not been granted consent and is unable to be used for local accounts
- New-AzureADPolicy : Error occurred while executing NewPolicy in windows powershell
- Configurable token lifetimes in Azure Active Directory
- Azure AD V2 MFA support