Home

Azure AD PIM token lifetimes

%3CLINGO-SUB%20id%3D%22lingo-sub-998755%22%20slang%3D%22en-US%22%3EAzure%20AD%20PIM%20token%20lifetimes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-998755%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20anyone%20know%20if%20Azure%20AD%20PIM%20has%20any%20impact%20on%20token%20lifetimes%3F%20I%20know%20an%20access%20token%20remains%20valid%20for%201%20hour%20whereas%20a%20refresh%20token%20can%20have%20long%20life.%20Does%20this%20mean%20if%20user%20activates%20their%20role%20for%20only%2030mins%2C%20they%20will%20continue%20to%20have%20privileged%20access%20for%20at%20least%20one%20hour%20unless%20user%20explicitly%20logs-out%20of%20the%20session.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-998755%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EPIM%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPrivileged%20identity%20management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EToken%20lifetimes%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1118200%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20PIM%20token%20lifetimes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1118200%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F79705%22%20target%3D%22_blank%22%3E%40Gurdev%20Singh%3C%2FA%3E%26nbsp%3BHi%2C%20the%20minimum%20amount%20of%20time%20you%20can%20utilize%20PIM%20for%20is%201h.%20But%20that%20doesn%C2%B4t%20change%20my%20answer%20to%20your%20question.%20The%20user%20in%20this%20context%20would%20have%20privileged%20access%20for%20as%20long%20as%20the%20PIM%20role%20would%20allow%20him%2Fher.%20I.e%20If%20the%20Role%20is%20configured%20for%201h%2C%20any%20user%20with%20access%20to%20that%20role%20would%20be%20approved%20for%201h%20in%20a%20privileged%20role.%20When%20the%20time%20limit%20is%20reached%2C%20the%20rights%20granted%20by%20the%20privileged%20role%20are%20revoked.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fprivileged-identity-management%2Fpim-how-to-change-default-settings%3Ftabs%3Dprevious%23activations%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fprivileged-identity-management%2Fpim-how-to-change-default-settings%3Ftabs%3Dprevious%23activations%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EViktor%3C%2FP%3E%3C%2FLINGO-BODY%3E
Gurdev Singh
Contributor

Does anyone know if Azure AD PIM has any impact on token lifetimes? I know an access token remains valid for 1 hour whereas a refresh token can have long life. Does this mean if user activates their role for only 30mins, they will continue to have privileged access for at least one hour unless user explicitly logs-out of the session.

1 Reply

@Gurdev Singh Hi, the minimum amount of time you can utilize PIM for is 1h. But that doesn´t change my answer to your question. The user in this context would have privileged access for as long as the PIM role would allow him/her. I.e If the Role is configured for 1h, any user with access to that role would be approved for 1h in a privileged role. When the time limit is reached, the rights granted by the privileged role are revoked.

 

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-ch...

 

Regards,

 

Viktor

Related Conversations
Calendar not available for older AD accounts
_jancis in Microsoft Teams on
0 Replies
Azure Files with adfs
Stephane KLOIS in Azure on
0 Replies
What is a native non-object synchronised Azure AD instance?
Pn1995 in Azure on
0 Replies
Azure Automation connecting to Exchange with MFA enforced
Chris Johnston in Azure on
13 Replies
Intune Win32 apps error 0x80070002
bjornmertens in Microsoft Intune on
5 Replies