扩展Accestoken LifeTime Azure AD应用程序 [英] Extend Accestoken LifeTime Azure AD Application

问题描述

您好，我想延长Azure应用注册的访问令牌寿命.我知道已经有很多SO问题，但是似乎都没有，所以我想回答一个问题，而不是回答每个问题.

Hello I want to extend the Access Token lifetime of my Azure App registration. I understand that there were a lot of SO questions already but none of them seem to work so instead answering on each one of them with my question, I guessed I create a new question.

我使用以下PowerShell代码创建一个Azure AD策略以延长生存期并将其附加到我的应用程序注册中.

I use the following PowerShell code to create an Azure AD Policy to extend the lifetime and attach it to my app registration.

  # import the azure ad module
Import-Module AzureADPreview

# connect with an admin with proper priviledges
Connect-AzureAD

# specify the policyname and Azure application name

$policyName = "ExtendedLifeTimePolicyADAppRegistration"
$applicationName = "AzureTest"


Write-Host "Create a new policy"
$policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"04:00:00","MaxInactiveTime":"04:00:00","MaxAgeMultiFactor":"04:00:00","MaxAgeSingleFactor":"04:00:00"}}') -DisplayName $policyName -IsOrganizationDefault $false -Type "TokenLifetimePolicy"

# Get the Azure AD application  
$app = Get-AzureADApplication -Filter "DisplayName eq '$applicationName'"
Write-Host "Apply the new policy"
Add-AzureADApplicationPolicy -Id $app.ObjectId -RefObjectId $policy.Id

Write-Host "Get assigned policies..."
Get-AzureADApplicationPolicy -Id $app.ObjectId

未显示任何错误代码，并且Get-AzureADApplicationPolicy返回该策略已连接到我的azure广告应用程序.

No error code has been shown and the Get-AzureADApplicationPolicy returned that the policy is connected to my azure ad application.

以下代码显示访问令牌和有效期:我使用此代码从Azure AD应用程序注册中打印出访问令牌.

The following Code prints the access token and the expiry: I used this code to print out the access token from the Azure AD app registration.

disconnect-azurermaccount
 if(-not (Get-Module AzureRm.Profile)) {
    Import-Module AzureRm.Profile
  }

function Get-AzureRmCachedAccessToken()
{
    $ErrorActionPreference = 'Stop'

    if(-not (Get-Module AzureRm.Profile)) {
        Import-Module AzureRm.Profile
    }
    $azureRmProfileModuleVersion = (Get-Module AzureRm.Profile).Version
    # refactoring performed in AzureRm.Profile v3.0 or later
    if($azureRmProfileModuleVersion.Major -ge 3) {
        $azureRmProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
        if(-not $azureRmProfile.Accounts.Count) {
            Write-Error "Ensure you have logged in before calling this function."    
        }
    } else {
        # AzureRm.Profile < v3.0
        $azureRmProfile = [Microsoft.WindowsAzure.Commands.Common.AzureRmProfileProvider]::Instance.Profile
        if(-not $azureRmProfile.Context.Account.Count) {
            Write-Error "Ensure you have logged in before calling this function."    
        }
    }

    $currentAzureContext = Get-AzureRmContext
    $currentAzureContext
    $profileClient = New-Object Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient($azureRmProfile)
    Write-Debug ("Getting access token for tenant" + $currentAzureContext.Tenant.TenantId)
    $currentAzureContext.TokenCache.ReadItems()
    $token = $profileClient.AcquireAccessToken($currentAzureContext.Tenant.TenantId)
   echo "####"
    $token

     echo "####"
}
$tenantId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$ClientID = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$ClientSecret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"


    $passwd = ConvertTo-SecureString $ClientSecret -AsPlainText -Force
    $pscredential = New-Object System.Management.Automation.PSCredential($ClientId, $passwd)


    #Connect-AzurermAccount -Credential $pscredential -Tenant $tenantId 
    Add-AzureRmAccount -Credential $pscredential -TenantId $tenantId  -ServicePrincipal
    Get-AzureRmCachedAccessToken

首先，我认为捕获访问令牌的代码不够有效，因为它已被缓存，因此我尝试按照

First I thought my code to capture the access token is not valid enough because it is cached so I tried the following code from the MS doc following this link in postman. But this has the same output as the previous PowerShell code. which is the same default Expiry of 1 hour.

在先前的SO问题中，我已经看到将IsOrganizationDefault变量更改为"true"的人们确实可以使AD策略正常工作.关于此的两点评论:

In previous SO questions I've seen that people who changed the IsOrganizationDefault variable to "true" did get the AD policy working. Two remarks on this:

1. 我无权将此值设置为true，因为这会影响整个租户.
2. 我不想将此设置为true.因为这也会影响创建应用程序注册并检索访问令牌的任何其他用户.

有人看到我丢失了什么，我忘记做什么或做错了什么吗?

Does anyone see what I am missing, what I forget to do or what I did wrong.

推荐答案

根据我的测试，无论使用 Add-AzureADServicePrincipalPolicy，它目前仅适用于 -IsOrganizationDefault $ true .code>或 Add-AzureADApplicationPolicy ，如果 -IsOrganizationDefault $ false ，则两者均不起作用.

Per my test, it just works with the -IsOrganizationDefault $true currently, no matter use Add-AzureADServicePrincipalPolicy or Add-AzureADApplicationPolicy, if -IsOrganizationDefault $false, both not work.

您应注意以下功能:

You should note the feature Configurable token lifetimes in Azure Active Directory (Preview) is in preview, also the powershell commands you used are just in AzureADPreview. I believe the feature may have not been implemented completely, so it caused the issue.

这篇关于扩展Accestoken LifeTime Azure AD应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！