we are using Azure ADB2C with grant type as client credentials. We are sharing clientid, secret with customers to consume our APIs. We don't have any user flow created as it not required.
Is there anyway we can change the token lifetime to 15 min (default is 60min)
Based on your description, I understand that you are using AAD client credentials flow because B2C doesn't support client credentials flow.
If so, your customer doesn't use the B2C feature.
You can configure token lifetime policies for your AAD feature.
$policy = New-AzureADPolicy -Definition #('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"00:15:00"}}') -DisplayName "WebPolicyScenario" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
Related
I'm working on Client Credential Flow to authenticate two applications but I want to add some information in access token. Can we customize claim and include it in access token ?
I tried to reproduce the same in my environment to create the custom claim in Azure AD
Please follow the below steps to get the access token
You can get the Object ID of Service Principal ID like below
Azure Portal>Azure Active Directory>Enterprise Application>Select your application
(https://i.imgur.com/gmfUAmg.png)
Change the value in manifest like below
(https://i.imgur.com/sJvFNT4.png)
Create the policy using powershell like below
$Policy = New-AzureADPolicy -Definition #('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ID":"customvalue","JwtClaimType":"customclaim"}]}}') -DisplayName "Demo123" -Type "ClaimsMappingPolicy"
Add-AzureADServicePrincipalPolicy -RefObjectId $Policy.Id -Id '<Service Principle ID>'
(https://i.imgur.com/x3Sb6ON.png)
Generate the code and copy the code to generate the token via postman
https://login.microsoftonline.com/Tenant ID/v2.0/authorize?
&client_id=Client ID&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
(https://i.imgur.com/0z2JLSz.png)
Kindly change the value in Postman to generate the Token
(https://i.imgur.com/PGMyUqA.png)
copy the Access token value without quotes from postman
(https://i.imgur.com/ttYp6XW.png)
Decode the same access token value in jwt.ms
(https://i.imgur.com/J2TF0sB.png)
Scenario: I have a Function App deployed in Azure that needs to be called from a PowerShell client in a non-Microsoft domain. My logic is to authenticate the user via their onMicrosoft domain email address and password. I am using MSAL to do the same. But this needs clientId and tenantId to work, as per my current knowledge, we cannot ask users to put in client id and client secret here.
Problem 1: Is using the MSAL the best way to achieve this? I created an App Registration in my Azure cloud and for testing, I am using the clientId and tenantId of the above App registration in the below PowerShell and I use my own Microsoft email/password + 2FA for getting the token. I cannot propagate the same clientId and tenantId to our actual non-Microsoft client.
Problem 2: I might be not fully leveraging MSAL here, since I am unable to persist the token (System/env variables are not allowed), and every time the PS script is invoked the interactive login window opens up, which is not a pleasant user experience.
Sample script code:
Assume $clientId and $tenantId bieng user input arguments
if (-not(Get-Module -ListAvailable -Name MSAL.ps))
{
Install-Module -Name MSAL.ps -AllowClobber -Confirm:$False -Force -AcceptLicense
}
Import-Module MSAL.ps
$Token = Get-MsalToken -ClientId $clientId -TenantId $tenantId -Interactive -Scope 'https://graph.microsoft.com/User.Read'
$bearerToken = $Token.AccessToken
I have successfully made a Custom App Consent Policy using New-AzureADMSPermissionGrantConditionSet and following the MS docs. I specified ClientApplicationIds and it works great.
Now I also want to specify the permissions that must match. On Permissions, the docs say:
I need help understanding (and accessing) the permission IDs in the "OAuth2Permissions property of the API's ServicePrincipal object".
What ServicePrincipal is the doc referring to? The one in the application’s Home Tenant, or one in the Tenant that is using the application? If the app has not been consented to yet, then there is no ServicePrinciple in the Tenant using the app so I have a chicken-and-egg problem.
And what are the Permissions I'm expecting to get? I'm wondering why MS didn't just let us pass the scopes as strings e.g. email, mail.read etc. I don't understand exactly what the Permissions are in this particular context.
I need help understanding (and accessing) the permission IDs in the "OAuth2Permissions property of the API's ServicePrincipal object".
The permission ID means the id of the Delegated permission of the API( i.e. oauth2Permissions defined in the API) you added in the client app registration.
For example, you created a multi-tenant client app in tenant A, you added the Mail.Read Delegated permission of Microsoft Graph, by default, there would also be a User.Read Delegated permission automatically, so there are two permissions totally in the API permissions of your client app.
Now, you want to use the custom app consent policy in tenant B, you want the user to consent the two permissions, then the -Permissions should be the id of the two permission defined in Microsoft Graph, to find it easily, just navigate to the client app in tenant A -> Manifest, then you can get the ids like below.
The complete command should be
New-AzureADMSPermissionGrantConditionSet `
-PolicyId "joy-custom-policy" `
-ConditionSetType "includes" `
-PermissionType "delegated" `
-ResourceApplication "00000003-0000-0000-c000-000000000000" `
-Permissions #("e1fe6dd8-ba31-4d61-89e7-88639da4683d","570282fd-fa5c-430d-a7fd-fc8dc98a9dca")
In another scenario, you use the custom API(created in tenant A) in the client app instead of a Microsoft API.
If so, you need to grant admin consent for the API App in tenant B first, otherwise you will get an error The app needs access to a service (\"api://tenantA/myapi\") that your organization (tenant B) has not subscribed to or enabled, or you can use the admin account to run New-AzureADServicePrincipal -AppId <appid of the API app> in tenant B, it will also work, after consent, the normal user will be able to consent the permission you defined in the policy.
Note: Sometimes, you may get an error This app may be risky like below.
This means Microsoft detects a risky end-user consent request, the request will require a step-up to admin consent instead, if you still want the user to consent the permission, you need to disable the risk-based step-up consent first, then the user will be able to consent the permission.
Here's an example for how you would get the permission IDs for three delegated permissions for Microsoft Graph, using Azure AD PowerShell:
# The appId for the client application
$clientAppId = "{client-app-id}"
# The claim values for the Microsoft Graph delegated permissions to include
$claimValues = #("User.Read", "Mail.Send", "User.ReadBasic.All")
# Get the service principal for Microsoft Graph
$resource = Get-AzureADServicePrincipal -Filter "servicePrincipalNames/any(n:n eq 'https://graph.microsoft.com')"
# Get the delegated permission IDs for the given claim values
$permissionIds = $resource.OAuth2Permissions `
| ? { $claimValues.Contains($_.Value) } | select -ExpandProperty Id
# Use these permission IDs in a condition set for a custom permission grant policy
New-AzureADMSPermissionGrantConditionSet `
-PolicyId "my-custom-policy" `
-ConditionSetType "includes" `
-ClientApplicationIds #($clientAppId) `
-PermissionType "delegated" `
-ResourceApplication $resource.AppId `
-Permissions $permissionIds
I have followed below article for configuring azure aad token lifetime to 10mins
How can I configure the expiration time of an Azure AD access token (using ADAL)?
I have used command below for assigning policy to app
Add-AzureADApplicationPolicy -Id <ObjectId of the AAD Application> -RefObjectId <ObjectId of the Policy>
Policy created but not reflected on new tokens created. Token expiry still showing as 1 hour for new tokens.
As AdminOfThings said, this policy is applied to the web API. When the native app requests the web API as a resource, this policy is applied.
And you could try to set -IsOrganizationDefault as true to create a strict policy for a web API.
New-AzureADPolicy -Definition #('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"00:10:00","MaxAgeSessionSingleFactor":"00:10:00"}}') -DisplayName "WebPolicyScenario" -IsOrganizationDefault $true -Type "TokenLifetimePolicy"
You should also check to see if a default policy exists too, as long as it is not overridden by a policy with a higher priority.
I set AzureADPolicy by
New-AzureADPolicy -Definition #('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"00:10:00","MaxInactiveTime":"00:10:30","MaxAgeSessionSingleFactor":"00:11:00"}}') -DisplayName "PolicyScenario" -IsOrganizationDefault $true -Type "TokenLifetimePolicy"
and AccessTokenLifetime is work, my access token expires in 600,
buy MaxInactiveTime is not work, I also can get access token after 15 minute
Thanks for answer
I believe that you are using confidential clients (Azure AD application is registered as a "Web" application) rather than public clients ((Azure AD application is registered as a "Public client" application)).
MaxInactiveTime is only available for public clients app. It cannot be changed by using policy in confidential clients app.
See more details here.