Token Lifetime Policy

We cannot offer custom policies to change the default Token Lifetime Policy (1 hour) within our tenant. Doing so would reduce our security posture to adversary-in-the-middle (AiTM) phishing attacks and token theft.

e.g. If we changed this policy to 8 hours and a token was compromised, we would not be able to revoke the users session until this period has expired.

You should therefore implement refresh token functionality into your application. This will allow you to refresh the token before expiry and prevent the user to have to reauthenticate.

For guidance on using refresh tokens, see these following links

Refresh tokens in the Microsoft identity platform - Microsoft identity platform | Microsoft Learn
Access tokens in the Microsoft identity platform - Microsoft identity platform | Microsoft Learn

Section Contents

Tenant Overview
Integration Testing
Token Lifetime Policy

Resources

EUCS IDAM Team Shared Inbox