Azure AD PIM token lifetimes

Gurdev Singh​  this is one of those PIM behaviors that often surprises people.

In short: yes, Azure AD / Entra ID PIM activation doesn’t immediately revoke an access token when the role’s activation window expires.

Here’s how it works in practice:

• Access tokens are typically valid for 1 hour, regardless of how long the PIM role is activated for.
• Refresh tokens can last much longer (up to 90 days, depending on configuration), but the important part is that when a refresh token is used to request a new access token, the system re-evaluates the user’s current PIM role state.
• So if the user’s PIM role activation was for 30 minutes, and their existing access token was issued during that period, that token will remain valid for its full lifetime — even if the PIM activation expires sooner.

In other words:

• 🟢 The user retains privileged access until the access token expires (typically 1 hour).
• 🔴 The user won’t be able to get new privileged tokens after that unless they re-activate the role.

If you need to enforce immediate revocation, you can:

• Use “Revoke Sign-In Sessions” in Entra ID → Users → Revoke Sessions (forces all access tokens to expire immediately).
• Or enable Continuous Access Evaluation (CAE), which allows certain critical events (like role deactivation or risk-based signals) to trigger near real-time token invalidation — though this currently applies mainly to certain Microsoft 365 and Azure services.

TL;DR:

• PIM doesn’t shorten access token lifetime.
• A 30-minute activation will allow the user to keep using the elevated privileges for up to 1 hour (the token’s validity).
• After the token expires, a new one can’t be issued unless the role is reactivated.