Configurable token lifetimes in Azure Active Directory for my Web API

Question

I need to create lifetime token for my WEB Api. I’ve used the following guide but the Policy doesn’t work. As I’ve noticed, for my Web Api the following OrganizationDefaultPolicyScenario works. I made it work by only using AzureADPolicy with setting -IsOrganizationDefault $true not $false.

My configuration:

OdataType :
AlternativeIdentifier :
Definition : {{"TokenLifetimePolicy":{"Version":1, "AccessTokenLifetime":"02:00:00"}}}
DisplayName : OrganizationDefaultPolicyScenario
IsOrganizationDefault : True
KeyCredentials : {}
Type : TokenLifetimePolicy

OdataType :
AlternativeIdentifier :
Definition : {{"TokenLifetimePolicy":{"Version":1, "AccessTokenLifetime":"08:00:00", "MaxInactiveTime":"30.00:00:00", "MaxAgeMultiFactor":"until-revoked", "MaxAgeSingleFactor":"180.00:00:00"}}}
DisplayName : WebApiDefaultPolicy
IsOrganizationDefault : False
KeyCredentials : {}
Type : TokenLifetimePolicy

PS C:\Users\1> Get-Azureadapplicationpolicy -id

Id :
OdataType : #microsoft.graph.policy
AlternativeIdentifier :
Definition : {{"TokenLifetimePolicy":{"Version":1, "AccessTokenLifetime":"08:00:00", "MaxInactiveTime":"30.00:00:00", "MaxAgeMultiFactor":"until-revoked", "MaxAgeSingleFactor":"180.00:00:00"}}}
DisplayName : WebApiDefaultPolicy
IsOrganizationDefault : False
KeyCredentials : {}
Type : TokenLifetimePolicy

Answer 1

you need to assign it to a Service principal representing the resource your clients are accessing. what is your client and what API is it accessing (aka. when you are asking for an access token what is your resource parameter?)

also token lifetimes will be gone by end of June (only Access Tokens timeouts customizations are sticking around). look at sign-in frequency in conditional access instead.