This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 33%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERK%3C/text%3E%3C/svg%3E)
Hi Team,
We have an app which uses the OAuth auth Code grant type. We are trying to restrict session tokens and limiting to 10 minutes however after applying the policy it is not working and users stayed logged in on browsers.
Can you please suggest If we missing something, we are using the below policy :
$policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"MaxAgeSessionSingleFactor":"00:10:00","MaxAgeSessionMultiFactor":"00:10:00"}}') -DisplayName $policyName -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
Thanks in advance
Hi,
Try to follow this documentation to see if that helps.
You can also configure this by Conditional Access if you will use GUI.
Thanks for the reply, we are not trying to achieve this by Azure CA for now, but we will look at this in case the token policy does not work.
In order to use Azure CA policy, I can only configure this setting for an hour or day? Is there any workaround If we want to set this up for 10 minutes?
Hi Daniel,
It is not working as expected, I enabled CA policy sign-in frequency to 1hour, I have been working on that after an hour it does not kick me out however If I refresh the page then it asks me to authenticate. I am testing this only on one application, so I can not enable the persistent setting. as it works only when all apps are selected.
No that´s correct, the minimum is 1h with CA.
It works for me without refresh the Edge browser. Are you using "Keep me sign-in"? If you run in-private browser. Do you expect the same result?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi Sunny987
Hi Sunny987
Did you set the <“LastPasswordChangeTimestamp”> and sync it ?
Also Set-AzureADPolicy -Id $policy.Id -DisplayName $policy.DisplayName -Definition @('{"TokenLifetimePolicy":{"Version":1,"MaxAgeSingleFactor"00:10:00"}}') As of example to update it for 10 minutes
1Federated users who have insufficient revocation information include any users who do not have the "LastPasswordChangeTimestamp" attribute synced. These users are given this short Max Age because AAD is unable to verify when to revoke tokens that are tied to an old credential (such as a password that has been changed) and must check back in more frequently to ensure that the user and associated tokens are still in good standing. To improve this experience, tenant admins must ensure that they are syncing the “LastPasswordChangeTimestamp” attribute (this can be set on the user object using Powershell or through AADSync).
Thanks for the reply, yup that is already synced,
The issue is token lifetime policy which we applied on service principal is not taking effect, it does not kick the user out from the browser.
You can also look to set the policy for each specific Web Application and Ressource separately , If the client stay logged.
I hope it will help you,
Regards, Armand B.
Hi , you should be able to provide the log please ?
We can't determine a error code while guessing here and there.
I do read your reply to Daniel, and it seem that you ask the workaround solution for 10 minute display policy.
If you Read the message i have posted for you, the solution is present in the message.
Again, you need to set different set of policy for each api or function, the token will not refresh and will remain log in.
What you could do also is to revote the token by killing the token with revocation and syncing your network VM machine. There is many way to do this, up to you to choose which one fit better in your case, since you does not provide any details or log of the actual problem.
Please, Review your question and answer provided
Please "Accept as answer" wherever the information provided helps you to help others in the community.
Hi,
What logs do you mean? As per the article below Azure AD token lifetime policy to manage session token will not work anymore.
We just want to configure the app to log out users automatically every 10 minutes. Using Azure AD CA policy we set it for 1hr but it does not work until the user refreshes the browser as it does not automatically log them out.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 44%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
@Rahul Kaim Here are more details on Azure AD token lifetime policies -
Also, the document you are referring is for using the authentication session management capabilities in Azure conditional policy and this feature you will be available for you to configure refresh token lifetimes.