Token lifetime policy
You can specify the lifetime of an access token, ID token, or SAML token issued by the Microsoft Entra ID. You can set token lifetimes for all apps in your tenant, or for service principals. You cannot set token lifetime policies for refresh tokens and session tokens. In this demo we changed the default lifetime (one hour) to two hours.
Prerequisites
Before you start make sure you have configured the following: This configuration can be done using Microsoft Graph.Create a token lifetime policy
First create a token lifetime policy. The following Microsoft Graph creates a policy with two hours lifetime. Important, set the isOrganizationDefault to false, so your policy will not change the default settings of your tenant.
POST https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies
{
"definition": [
"{\"TokenLifetimePolicy\":{\"Version\":1,\"AccessTokenLifetime\":\"2:00:00\"}}"
],
"displayName": "Woodgrove live demo token lifetime policy",
"isOrganizationDefault": false
}
From the response, copy the value of the token lifetime policy id:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#policies/tokenLifetimePolicies/$entity",
"id": "12345678-1234-1234-1234-000000000000",
...
}
Assign token lifetime policy to your application
Finally, assign token lifetime policy to your application. If you have more applications, repeat this step. Replace the {app-id} with your application ID (not object ID). And replace the {policy-id} with the token lifetime policy ID from the previous step.
POST https://graph.microsoft.com/v1.0/applications(appId='{app-id}')/tokenLifetimePolicies/$ref
{
"@odata.id":"https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies/{policy-id}"
}
Show example
POST https://graph.microsoft.com/v1.0/applications(appId='10f90284-3ee4-4e82-a641-55cc4068b633')/tokenLifetimePolicies/$ref
{
"@odata.id":"https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies/12345678-1234-1234-1234-000000000000"
}
