cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Force MSI access token expiration?

haimizrael
Copper Contributor

‎Jan 03 2022 07:27 PM - last edited on ‎Jan 14 2022 03:22 PM by

‎Jan 03 2022 07:27 PM - last edited on ‎Jan 14 2022 03:22 PM by

Force MSI access token expiration?

Is there a way to force an access token be refreshed in less than the default 24 hours?

 

The use case is an Azure service with a managed service identity (MSI) that authenticates against an AAD application.  Say that application’s app roles have changed, such that the cached access token does not contain the new claims that are required for the changed app roles.  The Azure service using the MSI then becomes inoperable (gets an error ‘User does not have claim xyz’) until the token expires, up to 24 hours (according to https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-us...). 

1,622 Views
0 Likes
1 Reply
Reply
1 Reply
Jai Verma

‎Feb 14 2022 11:45 PM - edited ‎Feb 14 2022 11:46 PM

‎Feb 14 2022 11:45 PM - edited ‎Feb 14 2022 11:46 PM

Re: Force MSI access token expiration?

I think you can apply SignIn frequency CA Policy and apply it to MSI and set the token expiration lower than 24 hours. I have not tested this personally, but I trust it should work.

0 Likes
Reply