MicrosoftThanks, Alex!
If there is a federation provider (ADFS, Okta, etc) performing SSO and acting as an identity provider for Office 365, would the expiry of the access tokens necessarily cause an authentication prompt to appear on the client, or would the expired token trigger the client (like Outlook) to reach to the federated third-party IdP to refresh the authentication?
The reason I am asking is that when federating identities and implementing controls like MFA at the third-party IdP (rather than at Azure AD), the long token lifetime is causing the client not to request MFA at login. So, if the token for the client is for 14 days in Azure AD and the federation provider is configured to MFA every day, the end result we are seeing is that the MFA through the IdP only happens when the client requests a new token...after 14 days...instead of daily.
I want to turn down AccessTokenLifetime to an hour, but don't want to trigger an authentication prompt in the client every hour. I just want to trigger the client to see that its token is expired, then reach to the IdP to begin that refresh.
Here is the 1-hr policy I am planning on implementing:
New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"00:01:00"}}') -DisplayName "OrganizationDefaultPolicyScenario" -IsOrganizationDefault $true -Type "TokenLifetimePolicy"