Home

Office 365 Access and Refresh Tokens

%3CLINGO-SUB%20id%3D%22lingo-sub-166760%22%20slang%3D%22en-US%22%3EOffice%20365%20Access%20and%20Refresh%20Tokens%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-166760%22%20slang%3D%22en-US%22%3E%3CP%3EBackground%3A%3CBR%20%2F%3EWe%20use%20DUO(MFA)%20as%20a%20custom%20control%20under%20Azure%20AD%20conditional%20access%20policies%20for%20Office%20365.%3CBR%20%2F%3ERef%3A%3CA%20href%3D%22https%3A%2F%2Fduo.com%2Fdocs%2Fazure-ca%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fduo.com%2Fdocs%2Fazure-ca%3C%2FA%3E%20%3CBR%20%2F%3EFor%20Mobile%20applications%20that%20use%20the%20OneDrive%2FSharePoint%20app%2C%20we%20have%20a%20Conditional%20access%20policy%20that%20prompts%20for%20DUO.%3C%2FP%3E%0A%3CP%3ECurrent%20situation%3A%3CBR%20%2F%3EThe%20user%20signs%20into%20the%20app%20-%26gt%3B%20prompted%20for%20DUO.%3CBR%20%2F%3EOnce%20authenticated%2C%20the%20user%20gets%20a%20pair%20a%20of%20access%2Frefresh%20tokens.%3CBR%20%2F%3ESo%20ideally%2C%20since%20the%20refresh%20token%20is%20valid%20for%2090%20days%2C%20incase%20of%20inactivity%2C%20there%20would%20be%20no%20primary%2Fsecondary%20auth%20prompts%20untill%20the%20refresh%20token%20expires%20OR%20revoked(pasword%20change%2C%20new%20polcy%20etc).%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EAsk%3A%3CBR%20%2F%3EUser%20should%20be%20prompted%20more%20frequently%20for%20DUO%20MFA%20on%20mobile%20apps%2C%20lets%20say%20every%20time%20they%20are%20inactive%20for%202%20hours.%3C%2FP%3E%0A%3CP%3EI%20stumbled%20upon%20solutions%20like%20changing%20the%20MaxInactiveTime%20for%20refresh%20tokens%20so%20lets%20say%201%20day%2C%20if%20the%20user%20doesnt%20access%20the%20app%20then%20they%20would%20be%20asked%20to%20re-aunthenticate.%3CBR%20%2F%3Eor%20MaxAgeSingleFactor%20-%26gt%3B%20eg%20if%20set%20to%2014%20days%2C%20every%20time%20after%20this%20they%20would%20have%20to%20re-authenticate.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E1.%3CBR%20%2F%3EI%20have%20a%20few%20doubts%20with%20these%20approaches%3A%3CBR%20%2F%3EWhat%20would%20be%20the%20affect%20of%20setting%20these%2C%20in%20particular%20to%3A%3CBR%20%2F%3EOutlook%20client%20app%20on%20windows%2Fmacs.%3CBR%20%2F%3EOWA%3CBR%20%2F%3ESPO%2FPJO%20browser%20access%3F%3C%2FP%3E%0A%3CP%3E2.%3CBR%20%2F%3EIs%20there%20a%20way%20to%20aim%20these%20at%20only%20SharePoint%20and%20OneDrive%20mobile%20apps%3F%3CBR%20%2F%3EMaybe%20some%20guidance%20on%20using%20the%20object%20id%3F%3C%2FP%3E%0A%3CP%3E3.What%20is%20considered%20as%20a%20public%20Vs%20confidential%20client%20when%20it%20comes%20to%20office%20365%3F%3CBR%20%2F%3Ehow%20would%20i%20classify%20office%20apps%20on%20mobile%20devices%20%2C%20Outlook%20client%20app%2C%20onedrive%20app%20for%20windows%2C%20broswer%20access%20into%20public%20vs%20confidential%3F%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-configurable-token-lifetimes%23configurable-token-lifetime-properties%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-configurable-token-lifetimes%23configurable-token-lifetime-properties%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-166760%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-270615%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Access%20and%20Refresh%20Tokens%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-270615%22%20slang%3D%22en-US%22%3E%3CP%3Ehi.%3C%2FP%3E%3CP%3ENo%20we%20actualyl%20dint%20go%20down%20this%20path%20due%20to%20lack%20of%20documentation.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Factive-directory-configurable-token-lifetimes%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Factive-directory-configurable-token-lifetimes%3C%2FA%3E%3C%2FP%3E%3CP%3Ethe%20article%20says%20the%20functionality%20is%20going%20to%20be%20replaced%3F%3C%2FP%3E%3CP%3ENot%20sure%20though.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-270430%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Access%20and%20Refresh%20Tokens%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-270430%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Priyank%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20you%20get%20the%20configuration%20that%20needs%20to%20be%20used%20for%20your%20scenario%3F%20We%20are%20also%20trying%20to%20implement%20the%20same%20change%20and%20not%20sure%20on%20the%20impact%20on%20the%20production.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-166989%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Access%20and%20Refresh%20Tokens%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-166989%22%20slang%3D%22en-US%22%3E%3CP%3EChanging%20the%20token%20lifetime%20will%20affect%20all%20clients%2Fdevices%20and%20while%20you%20can%20configure%20this%20per%20Office%20365%20workload%2C%20the%20process%20is%20not%20very%20well%20documented%20and%20you%20will%20have%20to%20guestimate%20some%20of%20the%20required%20appIDs.%20In%20other%20words%2C%20I%20wouldn't%20recommend%20using%20this%20method%20for%20your%20scenario.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Deleted
Not applicable

Background:
We use DUO(MFA) as a custom control under Azure AD conditional access policies for Office 365.
Ref:https://duo.com/docs/azure-ca
For Mobile applications that use the OneDrive/SharePoint app, we have a Conditional access policy that prompts for DUO.

Current situation:
The user signs into the app -> prompted for DUO.
Once authenticated, the user gets a pair a of access/refresh tokens.
So ideally, since the refresh token is valid for 90 days, incase of inactivity, there would be no primary/secondary auth prompts untill the refresh token expires OR revoked(pasword change, new polcy etc).


Ask:
User should be prompted more frequently for DUO MFA on mobile apps, lets say every time they are inactive for 2 hours.

I stumbled upon solutions like changing the MaxInactiveTime for refresh tokens so lets say 1 day, if the user doesnt access the app then they would be asked to re-aunthenticate.
or MaxAgeSingleFactor -> eg if set to 14 days, every time after this they would have to re-authenticate.


1.
I have a few doubts with these approaches:
What would be the affect of setting these, in particular to:
Outlook client app on windows/macs.
OWA
SPO/PJO browser access?

2.
Is there a way to aim these at only SharePoint and OneDrive mobile apps?
Maybe some guidance on using the object id?

3.What is considered as a public Vs confidential client when it comes to office 365?
how would i classify office apps on mobile devices , Outlook client app, onedrive app for windows, broswer access into public vs confidential?
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetime...

 

 

 

3 Replies
Highlighted

Changing the token lifetime will affect all clients/devices and while you can configure this per Office 365 workload, the process is not very well documented and you will have to guestimate some of the required appIDs. In other words, I wouldn't recommend using this method for your scenario.

Hi Priyank,

 

Did you get the configuration that needs to be used for your scenario? We are also trying to implement the same change and not sure on the impact on the production.

hi.

No we actualyl dint go down this path due to lack of documentation.

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-...

the article says the functionality is going to be replaced?

Not sure though.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies