Created
November 27, 2019 17:01
-
-
Save plamber/462cee58ff0f4a9968a7b2918bed707a to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # import the azure ad module | |
| Import-Module AzureADPreview | |
| # connect with an admin with proper priviledges | |
| Connect-AzureAD | |
| # specify the policyname and Azure application name | |
| $policyName = "yourPolicyName" | |
| $applicationName = "yourApplicationName" | |
| Write-Host "Create a new policy" | |
| $policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"00:10:00","MaxInactiveTime":"00:30:00","MaxAgeMultiFactor":"00:30:00","MaxAgeSingleFactor":"00:30:00"}}') -DisplayName $policyName -IsOrganizationDefault $false -Type "TokenLifetimePolicy" | |
| # Get the Azure AD application | |
| $app = Get-AzureADApplication -Filter "DisplayName eq '$applicationName'" | |
| Write-Host "Apply the new policy" | |
| Add-AzureADApplicationPolicy -Id $app.ObjectId -RefObjectId $policy.Id | |
| Write-Host "Get assigned policies..." | |
| Get-AzureADApplicationPolicy -Id $app.ObjectId |
Hi,
at the time of writing we didn't notice any issues with this command. Not sure if we missed something during our tests. What I noticed, however, is that that time it was important how you are passing the parameters in the definition. In some cases, the changes didn't apply. Therefore, it makes sense to check your created policy definition once you published it.
Based on this official documentation https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes you are also able to handle such use cases using authentication session management capabilities in Azure AD Conditional Access. Maybe you should have a look into this too.
Just let me know what were your findings.
br,
Patrick
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello, I was working on this when I've come to your script which combines every command together nicely.
I am still working on a problem here where I want to ask how you have fixed this.
When I run the script of yours, I can see that the policy is made and that the policy is attached to the application but it seems that it is not enabled. every time I try to retrieve the access token it seems that it is still the one hour lifetime
a more explanation of my problem can be found here: https://stackoverflow.com/questions/61231817/extend-accestoken-lifetime-azure-ad-application
Like you can see, someone has put the answer that the parameter: -IsOrganizationDefault $false needs to be set on "true" but like i see it. That impacts my entire AD organisation and other developers which is not acceptable for me.
And this also gives no reason of the command "Add-AzureADApplicationPolicy " if it's going to be set on the entire organisation anyways.
Do you have any solution for this problem ?