List item
I am using an Azure AD B2C custom policy. When using a custom policy session, the default session expiration time is 86,400 seconds. I added the SessionExpiryType and SessionExpiryInSeconds tags to the UserJourneyBehaviors tag of the custom policy to change the session expiration time to 900 seconds. Specifically, I added the following tags and values.
<UserJourneyBehaviors>
<SessionExpiryType>Absolute</SessionExpiryType>
<SessionExpiryInSeconds>900</SessionExpiryInSeconds>
</UserJourneyBehaviors>
I made the above changes and verified the operation, but the session expiration time remained at 86,400 seconds. What should I do to change the session expiration time?
Related
We have tried extending the session token time of an openid application on-boarded in Azure AD by configuring Sign-in frequency in Azure AD Condition Access Policy as suggested in the below MS document -
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime
But it doesn't prompt for re-authentication after the configured sign-in frequency time period expires.
We have on-boarded ClickHelp app & set the sign-in frequency for 1 hour.
Need help with the configuration in Azure AD to extend the oAuth app session token time by 8hrs (application session should get expire after 8hrs & prompt to re-authenticate with Azure AD)
Also, wanted to know if conditional access policy only works with Microsoft apps?
Because when I configured policy for all cloud apps with sign-in-frequency set to 1hr, and hit the URL "https://endpoint.microsoft.com" in browser. I received the following error message on refreshing the URL after 1 hr -
Conditional access policy failure
{
"sessionId": "1026a56be9a04d77xxxxxx",
"missingClaims": "{"access_token":{"capolids":{"essential":true,"values":["83b40f65-1d01-45cc-xxxx-xxxxxxxx"]}}}",
"resourceName": "graph",
"errorMessage": "AADSTS70043: The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on 2020-09-15T11:26:21.5620000Z and the maximum allowed lifetime for this request is 3600.\r\nTrace ID: 2933c79c-e69b-xxxx-xxxx-xxxxxxxxx\r\nCorrelation ID: aab286b8-ea79-xxxx-xxxx-xxxxxxxxx\r\nTimestamp: 2020-09-15 12:50:22Z"
}
I'm trying to send a message to my Azure Servicebus queue using the REST Api in Python (can't use Azure package on Orange PI Zero system, not enough memory to install package...).
Now the example page shows a specifically formatted Authorization header:
Authorization: SharedAccessSignature sr=your-namespace&sig=Fg8yUyR4MOmXfHfj55f5hY4jGb8x2Yc%2b3%2fULKZYxKZk%3d&se=1404256819&skn=RootManageSharedAccessKey
How do I obtain the se ("Token expiry instant": reference) value for my SAS token from the Azure Portal? It only shows "Primary"/"Secondary" key...
How do I obtain the se ("Token expiry instant": reference) value for
my SAS token from the Azure Portal? It only shows
"Primary"/"Secondary" key
This is something you will need to compute yourself as it dictates when your SAS token will expire. For example if you want to have your SAS token expire in 15 minutes from when it was created, you will get a date/time value 15 minutes from now, and calculate the number of seconds between that date/time and epoch (Jan 1st, 1970 00:00:00 UTC).
Once you have that value, you will need to compute the signature using the logic described here: https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-sas#generate-a-shared-access-signature-token.
I have a trust framework SignUpOrSignIn custom policy user flow which sets 3 extension attributes for an app.
I can see these 3 claims and their default values in the token.
However, when I GET the user via MS Graph API (https://graph.microsoft.com/beta/{tenantId}/users/{userId}), I do not see these extension attributes.
Once I PATCH the user, I can then see the value via the GET to the {userId} segment as expected.
PATCH
{
"extension_{appId}_subscription_expiry":"2020-04-10"
}
Why are any extension attributes not returned until they've been subsequently PATCHed?
Although you have set default values for the 3 extension attributes in your custom policy, you can only see them in the token after your sign-up at that time. But you didn't store them into Azure AD.
I guess that you just add such a code <OutputClaim ClaimTypeReferenceId="extension_subscription_expiry" AlwaysUseDefaultValue="true" DefaultValue="xxx" /> in your SignUpOrSignIn.xml file.
But if you want to store the values into Azure AD, you should write the custom claim to the user profile by using AAD-UserWriteUsingLogonEmail TechnicalProfile. See Read and write a claim.
You should finish all the steps listed in this document: Add claims and customize user input using custom policies in Azure Active Directory B2C
We are using Configurable token lifetimes in Azure Active Directory to change the max session age for multi-factor scenarios. While I've updated the policy with the command below, and confirmed that the access token lifetime changed from the default 60 minutes to 30 minutes, it did not change to 10 minutes as the policy indicates it should below. I've also confirmed it is the default org policy.
Set-AzureADPolicy -Id <OBJECT ID> -DisplayName "OrganizationDefaultPolicyUpdatedScenario" -Definition #('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"00:30:00","MaxAgeMultiFactor":"00:11:00","MaxAgeSessionMultiFactor":"00:10:00"}}')
I've checked the JWT token and confirmed exp is 30 minutes, so AccessTokenLifetime is implemented, but I'm using Outlook to test and confirmed MFA. The amr claim is "pwd,mfa".
Indirectly I think the MaxAgeMultiFactor timeout is working, but the session timeout is longer so it is hard to tell.
Why isn't MaxAgeSessionMultiFactor at 10 minutes (the minimum) working?
What am I doing wrong?
Complete policy:
class Policy
{
Id = 2a094bfe-d74e-4d55-906f-7cef8e54746b
OdataType =
AlternativeIdentifier =
Definition =
[
{
"TokenLifetimePolicy":
{
"Version":1,
"AccessTokenLifetime":"00:30:00",
"MaxAgeMultiFactor":"00:11:00",
"MaxAgeSessionMultiFactor":"00:10:00"
}
}
]
DisplayName = OrganizationDefaultPolicyUpdatedScenario
IsOrganizationDefault = True
KeyCredentials =
[
]
Type = TokenLifetimePolicy
}
Generally once access token is obtained, Azure AD will only check for the refresh token at the time of renewal. If the refresh token is also expired, Azure AD will then force the user for a fresh auth and check if MFA is required. If MFA is required, Azure AD will look to see if MFA cookie exists, MFA cookie is valid or not etc.
I see that you have only modified the access token lifetime and MFA lifetimes. So unless your MaxAgeSessionSingleFactor lifetime (Refresh Token) is less than MaxAgeSessionMultiFactor user will not be affected or prompted for MFA. Also single-factor authentication is considered less secure than multi-factor authentication, we recommend that you set MaxAgeSessionSingleFactor property to a value that is equal to or lesser than the Multi-Factor Refresh Token Max Age property(MaxAgeSessionMultiFactor).
With that being said, this feature is being deprecated as described in the article you are following. So we do not recommend using this feature in new environments.
"After hearing from customers during the preview, we're planning to replace this functionality with a new feature in Azure Active Directory Conditional Access. Once the new feature is complete, this functionality will eventually be deprecated after a notification period. If you use the Configurable Token Lifetime policy, be prepared to switch to the new Conditional Access feature once it's available." from the article.
I have created access token using AcquireToken method (with default 1 hour expiration) and tried to login using below command
Add-AzureRmAccount -AccessToken "string" -AccountId "string"
It produces subscription details as expected by successful login.
After this i tried to update policy as below:
Set-AzureADPolicy -ObjectId <ObjectID FROM GET COMMAND> -DisplayName TenantDefaultPolicyUpdatedScenario -Definition #("{`"TokenLifetimePolicy`":{`"Version`":1,`"MaxAgeSingleFactor`":`"2.00:00:00`"}}")
But still token got expired in 1 hour.
Did i missed anything ?
what is the exact procedure and order of updating lifetime of token ?a
after setting policy how to ensure token life time ?
Thanks in advance.
According to this article, you should set AccessTokenLifetime property. Please try to use the following command.
Set-AzureADPolicy -Id <ObjectId FROM GET COMMAND> -DisplayName "OrganizationDefaultPolicyUpdatedScenario" -Definition #('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"1.00:00:00"}}')
The following is the snippet from the document.
Access Token Lifetime
String: AccessTokenLifetime
Affects: Access tokens, ID tokens
Summary: This policy controls how long access and ID tokens for this resource are considered valid. Reducing the Access Token Lifetime property mitigates the risk of an access token or ID token being used by a malicious actor for an extended period of time. (These tokens cannot be revoked.) The trade-off is that performance is adversely affected, because the tokens have to be replaced more often.
The MaxAgeSingleFactor property affects Refresh tokens.
Single-Factor Refresh Token Max Age
String: MaxAgeSingleFactor
Affects: Refresh tokens
Summary: This policy controls how long a user can use a refresh token to get a new access/refresh token pair after they last authenticated successfully by using only a single factor. After a user authenticates and receives a new refresh token, the user can use the refresh token flow for the specified period of time. (This is true as long as the current refresh token is not revoked, and it is not left unused for longer than the inactive time.) At that point, the user is forced to reauthenticate to receive a new refresh token.
Reducing the max age forces users to authenticate more often. Because single-factor authentication is considered less secure than multi-factor authentication, we recommend that you set this property to a value that is equal to or lesser than the Multi-Factor Refresh Token Max Age property.
Note: Access token without any expiry is a major security risk and it is not allowed in the Azure.
Default expiration of access token is 1 hour, minimum is 10 minutes, and the maximum is 1 day.
For more details, refer “Configurable token lifetimes in Azure Active Directory (Public Preview)”.