I see that in this topic default password expiration period is 90 days.
But is there any way to change this period, for example to 30 days or 1 day? or any workaround?
This can be achieved using a custom policy.
Here is an example of a policy that forces an existing user to change their current password after 90 days (which can be changed to a lesser or greater number of days).
You can refer to the suggestion mentioned in this SO thread.
Remove password expiration on b2c custom policies
Kindly let us know if the above helps or you need further assistance on this issue.
Related
Has Microsoft changed the expiration date for Client secrets to be max 2 years? It is not possible to select "Never" anymore?
I just ran into this myself. You can set add a credential using Powershell which is more than 2 years. So I'm guessing it's a UI limitation.
$startDate = Get-Date
$endDate = $startDate.AddYears(98)
$aadAppsecret01 = New-AzureADApplicationPasswordCredential -ObjectId b09d3e1b-417d-425c-be05-9e46943d7207 -StartDate $startDate -EndDate $endDate
Has Microsoft changed the expiration date for Client secrets to be max
2 years? It is not possible to select "Never" anymore?
That's correct. The new expiration age for the client secret can be 2 years maximum.
As of February 2022 it isn't possible anymore:
https://devblogs.microsoft.com/microsoft365dev/client-secret-expiration-now-limited-to-a-maximum-of-two-years/
Looks like we got an official answer from Microsoft's team at Jun 08, 2021, according to this discussion: https://learn.microsoft.com/en-us/answers/questions/422538/future-plans-of-microsoft-with-the-maximum-expirat.html
This was the final answer from their engineering team:
There are plans to limit lifetimes of the secret administratively. However, there are no current timelines or ETAs of when this will happen. Removing the UX option to have never expiring secrets is a first step of that process (you can still create secrets that never expire with PowerShell, AZ CLI and Graph API).
So, I understood that, for a while, I can use PowerShell's method suggested by Daniel in the accepted answer above.
However, we cannot rely on this forever because sooner or later the 'never' option may disappear completely if Microsoft's plans materialize. I hope it doesn't in this case. As some have said, I also foresee expiration problems in the coming years because of this limitation.
You can set the date through Azure Built in CLI.
Open the Azure CLI in the browser. Then this command below. Note: If you don't pass a password, this will reset your existing password! The end-date is whatever you want it to be:
az ad sp credential reset --name {name of your AD app} --end-date 2035-03-04 --credential-description DescriptionHere
If you want to preserve the App Secret, which is what I needed, I already had created the secret and started using it, make sure to pass the existing password.
az ad sp credential reset --name {name of your AD app} --password {whatever password you want to keep} --end-date 2035-03-04 --credential-description AppAccess
--credential-description is optional but if you don't pass one it will be blank on the UI which is not nice.
Further info:
https://learn.microsoft.com/en-us/cli/azure/ad/app/credential?view=azure-cli-latest
There is an Azure Active Directory feedback request to allow for extension of expirations without having to reset the passwords. Please upvote it as it would be a nice way to solve the issue of having to go through all apps using a Client Secret every few years.
Azure DevOps allows for this on your Personal Access Tokens (PAT). Would love for this to work the same way and allow for extensions in both the CLI as well as the portal:
https://feedback.azure.com/d365community/idea/c9d2da85-8be2-ec11-a81b-6045bd7ac9f9
It can't be changed unfortunately, not even by manipulating your App registration manifest directly (that's how you change most things that are not supported with their UI).
Great, now you have to set a reminder for yourself to update that application in time. If you leave the company there is a good chance the people after you will forget it and break your application from one day to the next..
Very unusual, that client secret supposedly is only known to your server - how exactly does forcing you to change it after 2 years (in which is was evidently unbroken) ANY safer? Now your Azure-operators have to tell your devs/devops the NEW client-secret.. that is a high-senitive information that has to be transferred SOMEHOW - completely unnecessary risk!
That reminds me a bit of companies where you need to change your PW every month. I think at this point in time it is well understood that this actually lowers your security, because people are lazy and find all kinds of workarounds, like appending numbers (worst case: the current month) to the password, greatly weakening the password strength overall.
Same if you have to send a new client-secret for one of your clients every year. Sure everyone KNOWs that you are supposed to use a safe channel (as far as that even exists), but this just invites security issues born out of lazyness, stress or simply human error
Well done Microsoft, i feel safer already..
Client secret lifetime is limited to two years (24 months) or less. You can't specify a custom lifetime longer than 24 months.
Microsoft recommends that you set an expiration value of less than 12 months
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#add-a-client-secret
Context: Within an Azure DevOps user's Personal Access Token (PAT) settings, there is the ability to scope the Organization the token has access to and set an Expiration date up to one year.
Question: Is there a way in settings/options to prevent expiration or automate token regeneration? Supplementary question (opinion), is that a bad idea?
Each PAT has a expired date, the default period is 30 days and the maximum period is one year.
If the PAT created at the beginning is 90 day, when it expires, you can choose to change to 180 days or 1 year. But if you start in 1 year and expire soon after one year, you can only add one more token.
In addition ,the following notification is sent - a PAT is near expiration.
This is intended to prevent PAT from being leaked to pose a threat to the user's personal information security in its long-term use.
Updating PAT in a timely manner helps protect your information.
When using local accounts, can we force a password change every N days?
If not, can we use the graph api to determine the last time the password was changed?
You're not going to like my answer but...
At this time, Azure AD B2C does not support forced password reset. I would vote for it here.
At this time, the graph API also doesn't support when a password was last changed. Vote for that here.
The Azure AD B2C Team updated the user voice request here.
So now you can use an extension policy to force the password expiration, you can take a look at the code here.
Also, the Azure AD Team released a similar feature, updating the user voice request here.
The property is called:
lastPasswordChangeDateTime
and indeed seems to be the correct one:
The time when this Azure AD user last changed their password. The date
and time information uses ISO 8601 format and is always in UTC time.
For example, midnight UTC on Jan 1, 2014 would look like this:
'2014-01-01T00:00:00Z'
See the updated official documentation for the Graph API.
We have a requirement where we are creating users in azure active directory with a temporary password. Requirement is such that we need to give the user a temporary password with expiry time limited to 1 Hr. In case user doesn't login within an hour, password need to reissued using a workflow.
Question is,
Is there a way to create temporary password for an user in AAD with
expiry time as low as 1 Hr? I am aware expiry of password can be set
at active directory level which can be limited to minimum 14 Days.
I would really appreciate any help on this.
Say I sign into my site with ACS. Then close the browser, then reopen the site... it asks me to sign-in again. I would like it so it doesn't ask me to signin for a week or so after I authenticate with ACS the first time. How does one go about accomplishing this?
You don't authenticate against ACS. ACS is an intermediary between your app and an identity provider (e.g. LiveID, Google, Facebook, etc).
If you set "remember me" with any of these sites (and if they support it), then you will not be asked for username/password the second time.
Add the following attributes, this will persist the cookie with an extended lifetime.
<wsFederation ... persistentCookiesOnPassiveRedirects="true">
<CookieHandler ... persistentSessionLifetime="60"/>
...
</>
Pay attention, that the description about persistentSessionLifetime in MSDN is not true. For example, if you set it to 1.6:13:45.0, the cookie will expire after 30 hours (1 day + 6 hours) 13 minutes and 45 seconds +/- the maximumClockSkew from <identityConfiguration>. So the description from MSDN should be like the one from TimeSpan: [-]d.hh:mm:ss.ff. I hope Microsoft changes the wrong description.