未应用Azure AD可配置令牌的生存期 [英] Azure AD Configurable Token Lifetimes not being Applied

问题描述

我想更改Azure AD 如此处所示，但似乎未应用更改。

I want to change the default token lifetimes in Azure AD as shown here, but it looks like the changes are not being applied.

我正在使用PowerShell cmdlet运行以下命令在PowerShell画廊的 AzureAdPreview模块中：

I am running the following commands using the PowerShell cmdlets in the AzureAdPreview module from the PowerShell Gallery:

New-AzureADPolicy -Definition @("{`"TokenLifetimePolicy`":{`"Version`":1, `"AccessTokenLifetime`":`"10:00`",`"MaxInactiveTime`":`"10:00`",`"MaxAgeSingleFactor`":`"10:00`",`"MaxAgeMultiFactor`":`"10:00`",`"MaxAgeSessionSingleFactor`":`"10:00`",`"MaxAgeSessionMultiFactor`":`"10:00`"}}") -DisplayName AbsoluteMinimumPolicyScenario -IsOrganizationDefault $false -Type TokenLifetimePolicy

我想将所有令牌生存期设置为最短10分钟，以便测试Web API中的某些身份验证代码。

I want to set all token lifetimes to the bare-minimum 10 minutes in order to test some auth code in my web API.

然后我将此策略分配给我已在Azure AD中注册的应用程序：

I then assign this policy to my registered application in Azure AD:

Add-AzureADApplicationPolicy -ObjectId <application-object-id> -RefObjectId <policy-id>

使用 Get-AzureADPolicyAppliedObject -ObjectId< policy-id> 我确认我的策略已经应用到我的应用程序中。

Using Get-AzureADPolicyAppliedObject -ObjectId <policy-id> I confirm that my policy has been applied to my application...

...但是，当我尝试在登录期间检索新的访问令牌时（使用ADAL），我可以看到到期日期仍为默认的1小时。

... and yet, when I attempt to retrieve a fresh access token during login (using ADAL), I can see that the expiry date is still at the default of 1 hour.

我在做什么错了？

推荐答案

我通过仅使用 New-AzureADPolicy cmdlet并设置了-使它起作用IsOrganizationDefault $ true 不是 $ false 。效果需要一段时间才能看到。因此，请等待大约30分钟到一个小时（我不知道确切要花多长时间）。之后，将创建并应用您的新策略。还请记住，这是PowerShell，因此cmdlet中没有空格。

I made it work by only using New-AzureADPolicy cmdlet and setting -IsOrganizationDefault $true not $false. The effect takes a while for you to see it. So wait for about 30 minutes to an hour (I don't know how long exactly). After that your new policy will be created and applied. Also remember that this is PowerShell, so no whitespaces in the cmdlet.

示例：

New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"02:00:00","MaxInactiveTime":"02:00:00","MaxAgeSessionSingleFactor":"02:00:00"}}') -DisplayName "PolicyScenario" -IsOrganizationDefault $true -Type "TokenLifetimePolicy"

多行版本：

New-AzureADPolicy -Definition @(
    '
        {
            "TokenLifetimePolicy":
                {
                    "Version": 1,
                    "AccessTokenLifetime": "02:00:00",
                    "MaxInactiveTime": "02:00:00",
                    "MaxAgeSessionSingleFactor": "02:00:00"
                }
        }
    '
    ) -DisplayName "PolicyScenario" -IsOrganizationDefault $true -Type "TokenLifetimePolicy"

Microsof可以使用 IsOrganizationDefault $ true 解决此问题。在问题中详细了解以下内容： Azure AD可配置令牌生命周期未得到应用。

Microsoft may fix the issue with IsOrganizationDefault $true. Read more on this in the question: Azure AD Configurable Token Lifetimes not being Applied.

这篇关于未应用Azure AD可配置令牌的生存期的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！