Forum Discussion

Gurdev Singh's avatar
Gurdev Singh
Iron Contributor
Nov 10, 2019

Azure AD PIM token lifetimes

Does anyone know if Azure AD PIM has any impact on token lifetimes? I know an access token remains valid for 1 hour whereas a refresh token can have long life. Does this mean if user activates their role for only 30mins, they will continue to have privileged access for at least one hour unless user explicitly logs-out of the session.

azure active directory
security

3 Replies

  • Lucaraheller's avatar
    Lucaraheller
    Brass Contributor
    Oct 21, 2025

    Gurdev Singh​  this is one of those PIM behaviors that often surprises people.

    In short: yes, Azure AD / Entra ID PIM activation doesn’t immediately revoke an access token when the role’s activation window expires.

    Here’s how it works in practice:

    • Access tokens are typically valid for 1 hour, regardless of how long the PIM role is activated for.
    • Refresh tokens can last much longer (up to 90 days, depending on configuration), but the important part is that when a refresh token is used to request a new access token, the system re-evaluates the user’s current PIM role state.
    • So if the user’s PIM role activation was for 30 minutes, and their existing access token was issued during that period, that token will remain valid for its full lifetime — even if the PIM activation expires sooner.

    In other words:

    • 🟢 The user retains privileged access until the access token expires (typically 1 hour).
    • 🔴 The user won’t be able to get new privileged tokens after that unless they re-activate the role.

    If you need to enforce immediate revocation, you can:

    • Use “Revoke Sign-In Sessions” in Entra ID → Users → Revoke Sessions (forces all access tokens to expire immediately).
    • Or enable Continuous Access Evaluation (CAE), which allows certain critical events (like role deactivation or risk-based signals) to trigger near real-time token invalidation — though this currently applies mainly to certain Microsoft 365 and Azure services.

    TL;DR:

    • PIM doesn’t shorten access token lifetime.
    • A 30-minute activation will allow the user to keep using the elevated privileges for up to 1 hour (the token’s validity).
    • After the token expires, a new one can’t be issued unless the role is reactivated.

     

  • skrub's avatar
    skrub
    Brass Contributor
    Jan 13, 2023
    PIM does not affect token lifetime, but PIM is subject to token refresh and lifetime behavior:

    https://www.easy365manager.com/pim-privileged-identity-management-token-refresh-and-lifetime/
  • headburgh's avatar
    headburgh
    MCT
    Jan 20, 2020

    Gurdev Singh Hi, the minimum amount of time you can utilize PIM for is 1h. But that doesn´t change my answer to your question. The user in this context would have privileged access for as long as the PIM role would allow him/her. I.e If the Role is configured for 1h, any user with access to that role would be approved for 1h in a privileged role. When the time limit is reached, the rights granted by the privileged role are revoked.

     

    https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-change-default-settings?tabs=previous#activations

     

    Regards,

     

    Viktor

Resources