Forum Discussion
Force MSI access token expiration?
Is there a way to force an access token be refreshed in less than the default 24 hours?
The use case is an Azure service with a managed service identity (MSI) that authenticates against an AAD application. Say that application’s app roles have changed, such that the cached access token does not contain the new claims that are required for the changed app roles. The Azure service using the MSI then becomes inoperable (gets an error ‘User does not have claim xyz’) until the token expires, up to 24 hours (according to https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#token-caching).
- Jai VermaBrass Contributor
I think you can apply SignIn frequency CA Policy and apply it to MSI and set the token expiration lower than 24 hours. I have not tested this personally, but I trust it should work.