Reputation: 991
Extend Accestoken LifeTime Azure AD Application
Hello I want to extend the Access Token lifetime of my Azure App registration. I understand that there were a lot of SO questions already but none of them seem to work so instead answering on each one of them with my question, I guessed I create a new question.
I use the following PowerShell code to create an Azure AD Policy to extend the lifetime and attach it to my app registration.
# import the azure ad module
Import-Module AzureADPreview
# connect with an admin with proper priviledges
Connect-AzureAD
# specify the policyname and Azure application name
$policyName = "ExtendedLifeTimePolicyADAppRegistration"
$applicationName = "AzureTest"
Write-Host "Create a new policy"
$policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"04:00:00","MaxInactiveTime":"04:00:00","MaxAgeMultiFactor":"04:00:00","MaxAgeSingleFactor":"04:00:00"}}') -DisplayName $policyName -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
# Get the Azure AD application
$app = Get-AzureADApplication -Filter "DisplayName eq '$applicationName'"
Write-Host "Apply the new policy"
Add-AzureADApplicationPolicy -Id $app.ObjectId -RefObjectId $policy.Id
Write-Host "Get assigned policies..."
Get-AzureADApplicationPolicy -Id $app.ObjectId
No error code has been shown and the Get-AzureADApplicationPolicy returned that the policy is connected to my azure ad application.
The following Code prints the access token and the expiry: I used this code to print out the access token from the Azure AD app registration.
disconnect-azurermaccount
if(-not (Get-Module AzureRm.Profile)) {
Import-Module AzureRm.Profile
}
function Get-AzureRmCachedAccessToken()
{
$ErrorActionPreference = 'Stop'
if(-not (Get-Module AzureRm.Profile)) {
Import-Module AzureRm.Profile
}
$azureRmProfileModuleVersion = (Get-Module AzureRm.Profile).Version
# refactoring performed in AzureRm.Profile v3.0 or later
if($azureRmProfileModuleVersion.Major -ge 3) {
$azureRmProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
if(-not $azureRmProfile.Accounts.Count) {
Write-Error "Ensure you have logged in before calling this function."
}
} else {
# AzureRm.Profile < v3.0
$azureRmProfile = [Microsoft.WindowsAzure.Commands.Common.AzureRmProfileProvider]::Instance.Profile
if(-not $azureRmProfile.Context.Account.Count) {
Write-Error "Ensure you have logged in before calling this function."
}
}
$currentAzureContext = Get-AzureRmContext
$currentAzureContext
$profileClient = New-Object Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient($azureRmProfile)
Write-Debug ("Getting access token for tenant" + $currentAzureContext.Tenant.TenantId)
$currentAzureContext.TokenCache.ReadItems()
$token = $profileClient.AcquireAccessToken($currentAzureContext.Tenant.TenantId)
echo "####"
$token
echo "####"
}
$tenantId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$ClientID = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$ClientSecret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$passwd = ConvertTo-SecureString $ClientSecret -AsPlainText -Force
$pscredential = New-Object System.Management.Automation.PSCredential($ClientId, $passwd)
#Connect-AzurermAccount -Credential $pscredential -Tenant $tenantId
Add-AzureRmAccount -Credential $pscredential -TenantId $tenantId -ServicePrincipal
Get-AzureRmCachedAccessToken
First I thought my code to capture the access token is not valid enough because it is cached so I tried the following code from the MS doc following this link in postman. But this has the same output as the previous PowerShell code. which is the same default Expiry of 1 hour.
In previous SO questions I've seen that people who changed the IsOrganizationDefault variable to "true" did get the AD policy working. Two remarks on this:
- I do not have the right access to set this value on true because this impacts the entire tenant.
- I do not want to set this on true. because this will also impact any other user who creates an App registration and retrieve an access token.
Does anyone see what I am missing, what I forget to do or what I did wrong.
Upvotes: 1
Views: 720
Answers (1)
Reputation: 42063
Per my test, it just works with the -IsOrganizationDefault $true currently, no matter use Add-AzureADServicePrincipalPolicy or Add-AzureADApplicationPolicy, if -IsOrganizationDefault $false, both not work.
You should note the feature Configurable token lifetimes in Azure Active Directory (Preview) is in preview, also the powershell commands you used are just in AzureADPreview. I believe the feature may have not been implemented completely, so it caused the issue.
Upvotes: 1
Related Questions
- Increase access token lifetime in Azure AD
- Azure AD B2C how to change the Token exp claim value
- How do I increase token lifetime for daemon app on Azure AD B2C
- Changing Azure AD B2C Access Token lifetime doesn't work
- How can I configure the expiration time of an Azure AD access token (using ADAL)?
- Change token expiry time on azure ad b2b directory
- Extend azure active directory access token claims
- azure active directory token lifetimes
- Configurable token lifetimes in Azure Active Directory
- Azure Active Directory Application Key Renewal