Forum Discussion

Deleted's avatar
Deleted
Mar 01, 2018

Office 365 Access and Refresh Tokens

Background:
We use DUO(MFA) as a custom control under Azure AD conditional access policies for Office 365.
Ref:https://duo.com/docs/azure-ca
For Mobile applications that use the OneDrive/SharePoint app, we have a Conditional access policy that prompts for DUO.

Current situation:
The user signs into the app -> prompted for DUO.
Once authenticated, the user gets a pair a of access/refresh tokens.
So ideally, since the refresh token is valid for 90 days, incase of inactivity, there would be no primary/secondary auth prompts untill the refresh token expires OR revoked(pasword change, new polcy etc).


Ask:
User should be prompted more frequently for DUO MFA on mobile apps, lets say every time they are inactive for 2 hours.

I stumbled upon solutions like changing the MaxInactiveTime for refresh tokens so lets say 1 day, if the user doesnt access the app then they would be asked to re-aunthenticate.
or MaxAgeSingleFactor -> eg if set to 14 days, every time after this they would have to re-authenticate.


1.
I have a few doubts with these approaches:
What would be the affect of setting these, in particular to:
Outlook client app on windows/macs.
OWA
SPO/PJO browser access?

2.
Is there a way to aim these at only SharePoint and OneDrive mobile apps?
Maybe some guidance on using the object id?

3.What is considered as a public Vs confidential client when it comes to office 365?
how would i classify office apps on mobile devices , Outlook client app, onedrive app for windows, broswer access into public vs confidential?
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetimes#configurable-token-lifetime-properties

 

 

 

  • Changing the token lifetime will affect all clients/devices and while you can configure this per Office 365 workload, the process is not very well documented and you will have to guestimate some of the required appIDs. In other words, I wouldn't recommend using this method for your scenario.

  • Vignes Anand's avatar
    Vignes Anand
    Copper Contributor

    Hi Priyank,

     

    Did you get the configuration that needs to be used for your scenario? We are also trying to implement the same change and not sure on the impact on the production.

Resources