Token lifetime policy

You can specify the lifetime of an access token, ID token, or SAML token issued by the Microsoft Entra ID. You can set token lifetimes for all apps in your tenant, or for service principals. You cannot set token lifetime policies for refresh tokens and session tokens. In this demo we changed the default lifetime (one hour) to two hours.

Prerequisites

Before you start make sure you have configured the following:
  1. Create a tenant and add admin accounts
  2. Register a web application
  3. Create a user flow

This configuration can be done using Microsoft Graph.

Create a token lifetime policy

First create a token lifetime policy. The following Microsoft Graph creates a policy with two hours lifetime. Important, set the isOrganizationDefault to false, so your policy will not change the default settings of your tenant.

POST https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies
{
    "definition": [
        "{\"TokenLifetimePolicy\":{\"Version\":1,\"AccessTokenLifetime\":\"2:00:00\"}}"
    ],
    "displayName": "Woodgrove live demo token lifetime policy",
    "isOrganizationDefault": false
}
        
From the response, copy the value of the token lifetime policy id:
{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#policies/tokenLifetimePolicies/$entity",
    "id": "12345678-1234-1234-1234-000000000000",
    ...
}
        

Assign token lifetime policy to your application

Finally, assign token lifetime policy to your application. If you have more applications, repeat this step. Replace the {app-id} with your application ID (not object ID). And replace the {policy-id} with the token lifetime policy ID from the previous step.

POST https://graph.microsoft.com/v1.0/applications(appId='{app-id}')/tokenLifetimePolicies/$ref
{
  "@odata.id":"https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies/{policy-id}"
}
        
POST https://graph.microsoft.com/v1.0/applications(appId='10f90284-3ee4-4e82-a641-55cc4068b633')/tokenLifetimePolicies/$ref
{
  "@odata.id":"https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies/12345678-1234-1234-1234-000000000000"
}
            
Loading...