Modern Authentication Tokens

2018-01-19T10:34:42+00:00 January 17th, 2018|Office 365|

Modern Authentication is now the preferred authentication method used by (the majority) of Office apps that authenticate with Office 365. MA uses tokens during the authentication process which refresh based on different circumstances. The below is taken from this link and describes the process:

When a user successfully authenticates with Office 365 (Azure AD), they are issued both an Access Token and a Refresh Token.
The Access Token is very short-lived (valid for around 1 hour).
The Refresh Token is longer-lived – in some cases the token may be valid for up to 90 days if:
It is frequently used
The user hasn’t changed their password
The Access token is what is used to actually gain access to Resources such as Exchange or SharePoint Online. When the Access token expires, the Office client will present the Refresh token to Azure AD and request a new Access Token to use with the resource. The default lifetime for a Refresh Token is 14 days (expires 14 days after issue if not “used”). Features such as Conditional Access Policies may force users to sign-in again even though the Refresh Token is still valid. Once the Refresh token expires, users will need to sign-in again. If your company has been configured for Single Sign-On (SSO) through Federation, you may not need to explicitly do anything (SSO will just work!).

Changing logical (IP address) or physical locations after the Refresh Token has been acquired by the Office client will not impact the validity of the token. For example, if a user is on the corporate network during business hours and performs authentication, they will be issued both Access and Refresh tokens. When the user leaves the office and travels to an off-site location (no longer on the corporate network), their refresh token will still be valid even though the geo-location (as determined by IP address) for the user’s machine has changed. The validity of Refresh tokens are not re-evaluated until the Refresh Token expires. Some other events, such as a managed user changing their password, will also cause their refresh token to be invalidated. Federated user password changes do not result in this behavior.

Similarly, if a user has successfully authenticated, and then the user’s administrator enables them for Multi-Factor Authentication, the user will not need to perform Multi-Factor Authentication on that device (Refresh Tokens are “per-device”) until the refresh token is invalid. The next time the user is forced to authenticate, they will be required to configure Multi-Factor Authentication if not previously configured, then perform MFA to be successfully issued their Access and Refresh Tokens.

I came across a scenario recently where a customer used Conditional Access to block any Windows device from being able to access Outlook from outside of the Corporate network. During testing it was found that if a user (on a laptop) was on the corporate network (including VPN) then disconnected and joined to a network with just Internet, Outlook continued to provide access for up to an hour before Conditional Access kicked in and blocked the client. This was acceptable to the user as the corporate device was considered secure but it got me thinking if there is a way to modify the default Access Token. Turns out there is…

This link from Microsoft details the configurable token lifetimes. Using this page we can determine the PowerShell commands required to amend the default values for the tokens if required.

First we need to connect to Azure AD in PowerShell. The instructions from MS recommend we connect to the AzureADPreview Module. We can download the latest from here or within PowerShell type:

Install-Module AzureADPreview

Then we need to connect to Azure AD by running the below command and entering credentials of an account with Global Admin permissions.


We can check any existing policies by running:


To create a new policy with default setting except for the Access Token we can run the below:

New-AzureADPolicy -Definition @(‘{“TokenLifetimePolicy”:{“Version”:1,”AccessTokenLifetime”:”0.08:00:00″,”MaxInactiveTime”:”14.00:00:00″,”MaxAgeSingleFactor”:”90.00:00:00″,”MaxAgeMultiFactor”:”90.00:00:00″,”MaxAgeSessionSingleFactor”:”until-revoked”,”MaxAgeSessionMultiFactor”:”until-revoked”}}’) -DisplayName “OrganizationDefaultPolicyScenario” -IsOrganizationDefault $true -Type “TokenLifetimePolicy”

This would have maybe helped the customer above if they wanted to allow a longer access token refresh period for their users, but the above can also be used to limit the refresh period or configure other aspects of the Modern Authentication tokens.

like what you see? 

Sign-up to our newsletter and never miss out on the latest blogs, events and tech news from the world of risual
Give it a try, you can unsubscribe anytime.