Microsoft Previews Token Lifetime Policies for Azure Active Directory

Microsoft is previewing an Azure Active Directory capability that lets organization have better control over application access by end users.

The control gets managed by specifying how long a token that's used to access an application is allowed to remain in effect. Users typically undergo a token exchange process as part of the credentialing process, which authenticates or denies user access to apps. The user, for instance, may be trying to access applications housed in a multitenant datacenter. They could be accessing Web apps or Office 365 apps, for instance.

Currently, the Azure AD service sets default "lifetimes" for the various token types that are used to access applications. Now, Microsoft has announced a preview of the ability for IT pros to configure more specific token lifetimes by creating "token lifetime policies."

Azure AD has a complex token scheme. Policies can be set for "refresh tokens, access tokens, session tokens, and ID tokens," according to Microsoft's documentation on "Configurable Token Lifetimes." Access tokens are used by a client and can't be revoked, so a lifetime gets set for them. Refresh tokens can be revoked and accompany access tokens to permit reauthentication within a given amount of time. ID tokens contain user profile information.

IT pros can set token lifetime policies by specifying properties for the various token types. The policies get set using PowerShell, according to Microsoft's announcement. Organizations might want to set token lifetime policies to make user authentications occur more frequently for some applications, such as "sensitive applications on shared/kiosk devices," according to the announcement.

One catch is that some of the capabilities available at the preview testing stage may require having an Azure AD Premium subscription in place when Microsoft finally goes live with the capability for production environments (also known as the "general availability" release).

In other Azure AD news, Microsoft explained an obscure detail about its Azure AD Application Proxy Connector this week. The Azure AD Application Proxy service is used as part of a remote client authentication scheme, such as accessing apps from outside an organization's firewall. It turns out that this service has a Connector as well as an automatic updater for the Connector. Microsoft automatically updates the Connector using an Azure AD Application Proxy Connector Updater service. However, there's a caveat. Microsoft recommends setting up a second Connector in a tenant. Doing so will "avoid downtime and more broadly ensure high availability" during the Connector update process, Microsoft explained, in a blog post.

Microsoft also announced this week that all of its identity and access management sessions that were presented at its Ignite conference are now available on demand. A list can be found in this blog post.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube