Azure AD PIM token lifetimes

%3CLINGO-SUB%20id%3D%22lingo-sub-998755%22%20slang%3D%22en-US%22%3EAzure%20AD%20PIM%20token%20lifetimes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-998755%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20anyone%20know%20if%20Azure%20AD%20PIM%20has%20any%20impact%20on%20token%20lifetimes%3F%20I%20know%20an%20access%20token%20remains%20valid%20for%201%20hour%20whereas%20a%20refresh%20token%20can%20have%20long%20life.%20Does%20this%20mean%20if%20user%20activates%20their%20role%20for%20only%2030mins%2C%20they%20will%20continue%20to%20have%20privileged%20access%20for%20at%20least%20one%20hour%20unless%20user%20explicitly%20logs-out%20of%20the%20session.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-998755%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EPIM%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPrivileged%20identity%20management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EToken%20lifetimes%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1118200%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20PIM%20token%20lifetimes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1118200%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F79705%22%20target%3D%22_blank%22%3E%40Gurdev%20Singh%3C%2FA%3E%26nbsp%3BHi%2C%20the%20minimum%20amount%20of%20time%20you%20can%20utilize%20PIM%20for%20is%201h.%20But%20that%20doesn%C2%B4t%20change%20my%20answer%20to%20your%20question.%20The%20user%20in%20this%20context%20would%20have%20privileged%20access%20for%20as%20long%20as%20the%20PIM%20role%20would%20allow%20him%2Fher.%20I.e%20If%20the%20Role%20is%20configured%20for%201h%2C%20any%20user%20with%20access%20to%20that%20role%20would%20be%20approved%20for%201h%20in%20a%20privileged%20role.%20When%20the%20time%20limit%20is%20reached%2C%20the%20rights%20granted%20by%20the%20privileged%20role%20are%20revoked.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fprivileged-identity-management%2Fpim-how-to-change-default-settings%3Ftabs%3Dprevious%23activations%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fprivileged-identity-management%2Fpim-how-to-change-default-settings%3Ftabs%3Dprevious%23activations%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EViktor%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Does anyone know if Azure AD PIM has any impact on token lifetimes? I know an access token remains valid for 1 hour whereas a refresh token can have long life. Does this mean if user activates their role for only 30mins, they will continue to have privileged access for at least one hour unless user explicitly logs-out of the session.

1 Reply

@Gurdev Singh Hi, the minimum amount of time you can utilize PIM for is 1h. But that doesn´t change my answer to your question. The user in this context would have privileged access for as long as the PIM role would allow him/her. I.e If the Role is configured for 1h, any user with access to that role would be approved for 1h in a privileged role. When the time limit is reached, the rights granted by the privileged role are revoked.

 

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-ch...

 

Regards,

 

Viktor