{
	"id": "07d41c41-0a1a-4658-b8bc-a45e0b04f614",
	"created_at": "2026-04-06T00:11:24.004249Z",
	"updated_at": "2026-04-10T13:13:06.568607Z",
	"deleted_at": null,
	"sha1_hash": "9a0cba2917b520b18c8e94032e3584b26136a462",
	"title": "Configurable Token Lifetimes - Microsoft identity platform",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64503,
	"plain_text": "Configurable Token Lifetimes - Microsoft identity platform\r\nBy cilwerner\r\nArchived: 2026-04-05 17:56:50 UTC\r\nYou can configure the lifetime of access, ID, or Security Assertion Markup Language (SAML) tokens issued by\r\nthe Microsoft identity platform. Token lifetimes can be set for all apps in your organization, multitenant\r\napplications, or specific service principals. Configuring token lifetimes for managed identity service principals\r\nisn't supported.\r\nIn Microsoft Entra ID, policies define rules applied to individual applications or all applications in an\r\norganization. Each policy type has unique properties that determine how it is enforced on the object to which it's\r\nassigned.\r\nA policy can be designated as the default for your organization, applying to all applications unless overridden by a\r\nhigher-priority policy. Policies can also be assigned to specific applications, with priority varying by policy type.\r\nFor practical guidance, see examples of how to configure token lifetimes.\r\nNote\r\nConfigurable token lifetime policy only applies to mobile and desktop clients that access SharePoint Online and\r\nOneDrive for Business resources, and doesn't apply to web browser sessions. To manage the lifetime of web\r\nbrowser sessions for SharePoint Online and OneDrive for Business, use the Conditional Access session lifetime\r\nfeature. Refer to the SharePoint Online blog to learn more about configuring idle session time-outs.\r\nNote\r\nYou might want to increase the token lifetime so that a script runs for more than an hour. Many Microsoft\r\nlibraries, such as Microsoft Graph PowerShell SDK, extend the token lifetime as needed and you don't need to\r\nmakes changes to the access token policy.\r\nNote\r\nConfigurable token lifetime policy is not supported for applications developed for personal Microsoft accounts\r\n(where signInAudience is set to AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount ).\r\nLicense requirements\r\nUsing this feature requires a Microsoft Entra ID P1 license. To find the right license for your requirements, see\r\nComparing generally available features of the Free and Premium editions.\r\nCustomers with Microsoft 365 Business licenses also have access to Conditional Access features.\r\nhttps://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes\r\nPage 1 of 5\n\nToken lifetime policies for access, SAML, and ID tokens\r\nYou can set token lifetime policies for access tokens, SAML tokens, and ID tokens.\r\nAccess tokens\r\nClients use access tokens to access a protected resource. An access token can be used only for a specific\r\ncombination of user, client, and resource. Access tokens can't be revoked and are valid until their expiry. A\r\nmalicious actor that obtains an access token can use it for extent of its lifetime. Adjusting the lifetime of an access\r\ntoken is a trade-off between improving system performance and increasing the amount of time that the client\r\nretains access after the user's account is disabled. Improved system performance is achieved by reducing the\r\nnumber of times a client needs to acquire a fresh access token.\r\nThe default lifetime of an access token is variable. When issued, an access token's default lifetime is assigned a\r\nrandom value ranging between 60-90 minutes (75 minutes on average). The default lifetime also varies depending\r\non the client application requesting the token or if Conditional Access is enabled in the tenant. For more\r\ninformation, see Access token lifetime.\r\nSAML tokens\r\nSAML tokens are used by many web-based SaaS applications, and are obtained using Microsoft Entra ID's\r\nSAML2 protocol endpoint. They're also consumed by applications using WS-Federation. The default lifetime of\r\nthe token is 1 hour. From an application's perspective, the validity period of the token is specified by the\r\nNotOnOrAfter value of the \u003cconditions …\u003e element in the token. After the validity period of the token has\r\nended, the client must initiate a new authentication request, which will often be satisfied without interactive sign\r\nin as a result of the Single Sign On (SSO) Session token.\r\nThe value of NotOnOrAfter can be changed using the AccessTokenLifetime parameter in a\r\nTokenLifetimePolicy . It will be set to the lifetime configured in the policy if any, plus a clock skew factor of\r\nfive minutes.\r\nThe subject confirmation NotOnOrAfter specified in the \u003cSubjectConfirmationData\u003e element is not affected by\r\nthe Token Lifetime configuration.\r\nID tokens\r\nID tokens are passed to websites and native clients. ID tokens contain profile information about a user. An ID\r\ntoken is bound to a specific combination of user and client. ID tokens are considered valid until their expiry.\r\nUsually, a web application matches a user's session lifetime in the application to the lifetime of the ID token\r\nissued for the user. You can adjust the lifetime of an ID token to control how often the web application expires the\r\napplication session, and how often it requires the user to be reauthenticated with the Microsoft identity platform\r\n(either silently or interactively).\r\nToken lifetime policies for refresh tokens and session tokens\r\nhttps://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes\r\nPage 2 of 5\n\nYou can't set token lifetime policies for refresh tokens and session tokens. For lifetime, time-out, and revocation\r\ninformation on refresh tokens, see Refresh tokens.\r\nImportant\r\nAs of January 30, 2021 you can't configure refresh and session token lifetimes. Microsoft Entra no longer honors\r\nrefresh and session token configuration in existing policies. New tokens issued are set to the default configuration.\r\nYou can still configure access, SAML, and ID token lifetimes after the refresh and session token configuration\r\nretirement.\r\nExisting token's lifetime won't be changed. After they expire, a new token will be issued based on the default\r\nvalue.\r\nIf you need to continue to define the time period before a user is asked to sign in again, configure sign-in\r\nfrequency in Conditional Access. To learn more about Conditional Access, read Configure authentication session\r\nmanagement with Conditional Access.\r\nConfigurable token lifetime properties\r\nA token lifetime policy is a type of policy object that contains token lifetime rules. This policy controls how long\r\naccess, SAML, and ID tokens for this resource are considered valid. Token lifetime policies can't be set for refresh\r\nand session tokens. If no policy is set, the system enforces the default lifetime value.\r\nAccess, ID, and SAML2 token lifetime policy properties\r\nReducing the Access Token Lifetime property mitigates the risk of an access token or ID token being used by a\r\nmalicious actor for an extended period of time. (These tokens can't be revoked.) The trade-off is that performance\r\nis adversely affected, because the tokens have to be replaced more often.\r\nFor an example, see Create a policy for web sign-in.\r\nAccess, ID, and SAML2 token configuration are affected by the following properties and their respectively set\r\nvalues:\r\nProperty: Access Token Lifetime\r\nPolicy property string: AccessTokenLifetime\r\nAffects: Access tokens, ID tokens, SAML2 tokens\r\nDefault:\r\nAccess tokens: varies, depending on the client application requesting the token. For example,\r\ncontinuous access evaluation (CAE) capable clients that negotiate CAE-aware sessions will see a\r\nlong lived token lifetime (up to 28 hours).\r\nID tokens, SAML2 tokens: One hour\r\nMinimum: 10 minutes\r\nMaximum: One day\r\nRefresh and session token lifetime policy properties\r\nhttps://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes\r\nPage 3 of 5\n\nRefresh and session token configuration are affected by the following properties and their respectively set values.\r\nAfter the retirement of refresh and session token configuration on January 30, 2021, Microsoft Entra ID will only\r\nhonor the default values described below. If you decide not to use Conditional Access to manage sign-in\r\nfrequency, your refresh and session tokens are set to the default configuration on that date and can't change their\r\nlifetimes.\r\nProperty Policy property string Affects Default\r\nRefresh Token Max\r\nInactive Time\r\nMaxInactiveTime Refresh tokens 90 days\r\nSingle-Factor Refresh\r\nToken Max Age\r\nMaxAgeSingleFactor Refresh tokens (for any users)\r\nUntil-revoked\r\nMulti-Factor Refresh\r\nToken Max Age\r\nMaxAgeMultiFactor Refresh tokens (for any users)\r\nUntil-revoked\r\nSingle-Factor Session\r\nToken Max Age\r\nMaxAgeSessionSingleFactor\r\nSession tokens (persistent and\r\nnon-persistent)\r\nUntil-revoked\r\nMulti-Factor Session\r\nToken Max Age\r\nMaxAgeSessionMultiFactor\r\nSession tokens (persistent and\r\nnon-persistent)\r\nUntil-revoked\r\nNon-persistent session tokens have a Max Inactive Time of 24 hours whereas persistent session tokens have a Max\r\nInactive Time of 90 days. Anytime the SSO session token is used within its validity period, the validity period is\r\nextended another 24 hours or 90 days. If the SSO session token isn't used within its Max Inactive Time period, it's\r\nconsidered expired and are no longer accepted. Any changes to this default period should be changed using\r\nConditional Access.\r\nYou can use PowerShell to find the policies that will be affected by the retirement. Use the PowerShell cmdlets to\r\nsee the all policies created in your organization, or to find which apps are linked to a specific policy.\r\nPolicy evaluation and prioritization\r\nYou can create and then assign a token lifetime policy to a specific application and to your organization. Multiple\r\npolicies might apply to a specific application. The token lifetime policy that takes effect follows these rules:\r\nIf a policy is explicitly assigned to the organization, it's enforced.\r\nIf no policy is explicitly assigned to the organization, the policy assigned to the application is enforced.\r\nIf no policy has been assigned to the organization or the application object, the default values are enforced.\r\n(See the table in Configurable token lifetime properties.)\r\nA token's validity is evaluated at the time the token is used. The policy with the highest priority on the application\r\nthat is being accessed takes effect.\r\nhttps://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes\r\nPage 4 of 5\n\nAll timespans used here are formatted according to the C# TimeSpan object - D.HH:MM:SS. So 80 days and 30\r\nminutes would be 80.00:30:00 . The leading D can be dropped if zero, so 90 minutes would be 00:90:00 .\r\nREST API reference\r\nYou can configure token lifetime policies and assign them to apps using Microsoft Graph. For more information,\r\nsee the tokenLifetimePolicy resource type and its associated methods.\r\nCmdlet reference\r\nThese are the cmdlets in the Microsoft Graph PowerShell SDK.\r\nManage policies\r\nYou can use the following commands to manage policies.\r\nApplication policies\r\nYou can use the following cmdlets for application policies.\r\nNext steps\r\nTo learn more, read examples of how to configure token lifetimes.\r\nSource: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes\r\nhttps://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes"
	],
	"report_names": [
		"active-directory-configurable-token-lifetimes"
	],
	"threat_actors": [],
	"ts_created_at": 1775434284,
	"ts_updated_at": 1775826786,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9a0cba2917b520b18c8e94032e3584b26136a462.pdf",
		"text": "https://archive.orkl.eu/9a0cba2917b520b18c8e94032e3584b26136a462.txt",
		"img": "https://archive.orkl.eu/9a0cba2917b520b18c8e94032e3584b26136a462.jpg"
	}
}