Microsoft has changed the default settings for Azure Active Directory refresh tokens, but just for new tenancies.
Refresh token expirations were causing access frustrations for end users, Microsoft contended, so it made them last longer. The change particularly helps in cases where users haven’t been actively authenticating their clients.
The policy change, announced this week, is just in effect for new Azure AD accounts. Settings for existing accounts aren’t changing.
Refresh Token Defaults
New Azure AD tenants are getting the following defaults for refresh tokens:
- Refresh Token Inactivity: 90 Days
- Single/Multi factor Refresh Token Max Age: until-revoked
- Refresh token Max Age for Confidential Clients: until-revoked
The first item, “refresh token inactivity,” concerns clients that haven’t been actively authenticating, compelling them to get new refresh tokens after a time period. The second item pertains to successfully authenticated clients and how long they can continue to use a refresh token. The last item is the same idea, except it applies to “confidential clients,” such as Web apps. Microsoft defines confidential clients as “applications that can securely store a client password (secret).”
One caveat for new tenancies is that the refresh token inactivity default period won’t be in effect “if you configured Refresh Token Max Inactive Time to a custom value or if you configured federation with Azure AD and another authentication system,” Microsoft’s announcement warned.
Organizations that want different token settings can use Azure AD’s “configurable token lifetimes” preview capability. It includes the ability to revert to the earlier settings, if wanted. The setting for MaxAge for confidential clients “can’t be modified,” although it can be revoked, Microsoft’s announcement noted.
Microsoft made the settings changes because its research didn’t find any correlation between extended refresh token lifespans and the likelihood of accounts getting compromised. Access tokens, on the other hand, “still expire on much shorter time frames” than refresh tokens, Microsoft noted.
Azure AD uses three types of tokens, namely “access tokens,” “refresh tokens” and “ID tokens.” The overall scheme describing how they all work is outlined in this Azure document.
Azure AD Connect Health Perks
Microsoft this week also had an announcement regarding its Azure AD Connect Health solution. Organizations can use Azure AD Connect Health to check performance issues that may exist between Active Directory used on the organization’s “premises” computing environment and Microsoft’s Azure Active Directory service.
First, Microsoft announced that using the sync error reporting capability of Azure AD Connect Health “does not require Azure AD Premium.” Last year, Microsoft released its “Azure AD Connect Health for Sync” tool, but it required the use of an Azure AD Premium subscription back then. However, the sync reporting capability is just one aspect of Azure AD Connect Health tool. To even use the Azure AD Connect Health service, an organization will need to have “at least one Azure AD Premium license,” according to Microsoft’s Azure AD Connect Health FAQ.
Next, Microsoft added “duplicate attribute resiliency” information into the sync error reports of Azure AD Connect Health. Duplicate attribute resiliency is an Azure AD feature that Microsoft added last year. It quarantines objects with duplicate attributes and sends an error report, according to Microsoft’s description. The Azure AD Connect Health service now includes “errors reported on the Azure AD Connect server as well as errors introduced by the Duplicate Attribute Resiliency feature,” Microsoft’s announcement explained. Users get instructions on how to fix the errors, it added.
Lastly, Microsoft added a “FederatedDomainChange” reporting error to Azure AD Connect Health service. Those kinds of reporting errors show up when users get switched “from one federated domain to another.” For instance, the error will get reported when synchronization fails because the user was switched from Linkedin.com to Microsoft.com.