This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 61%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hello,
I'm currently working with Entra External ID and have a requirement to adjust the session and token lifetimes for our applications.
Background:
Issue:
Questions:
Is it possible to adjust the session and token lifetimes in Entra External ID?
- What is the recommended approach to manage or customize session and token lifetimes in Entra External ID?
- Are there any workarounds or best practices for achieving similar functionality?
Attempts to Resolve:
Goal:
We are using standard OpenID Connect and OAuth 2.0 protocols for authentication.
Our applications are a mix of web and mobile platforms that require consistent session management.
Thank you for your assistance!
Hi @Manuel T , Entra External ID does not provide the same direct configuration options for session and token lifetimes as Azure AD B2C but you can manage these settings in other ways.
Entra External ID does not expose token lifetime settings directly in the portal. Instead, you can manage session and token lifetimes using Sign-In Frequency (SIF) and Continuous Access Evaluation (CAE). These mechanisms allow you to control how often users need to re-authenticate and how tokens are validated in real-time.
For adjusting the refresh token lifetime, you should use Sign-In Frequency (SIF). This setting can be configured to specify how often users need to sign in again.
Continuous Access Evaluation (CAE) is recommended for applications that require token agility. CAE allows tokens to be validated in real-time, ensuring that any changes in user access or security policies are immediately enforced. This approach helps maintain security and compliance without the need for frequent token refreshes.
If you need to set specific token lifetimes, you can use PowerShell or REST APIs to configure these settings.
Please let me know if you have any questions and I can help you further.
If this answer helps you please mark "Accept Answer" so other users can reference it.
Thank you,
James
Hello - I am using AddMicrosoftIdentityWebApp in my Blazor Server application and setting my auth/session cookie to expire at 30 minutes:
configureCookieAuthenticationOptions: cookieAuthOptions =>
{
cookieAuthOptions.Cookie.Name = "EntraAuth";
cookieAuthOptions.Cookie.SameSite = SameSiteMode.Lax;
cookieAuthOptions.ExpireTimeSpan = TimeSpan.FromMinutes(30);
cookieAuthOptions.Cookie.MaxAge = cookieAuthOptions.ExpireTimeSpan;
cookieAuthOptions.SlidingExpiration = false;
},
When the cookie expires, the cookies are deleted as expected. On the next request to the app, the /oauth2/v2.0/authorize endpoint is called to our Entra tenant. This currently returns a 200 and the signin-oidc endpoint of the app returns a 302 so the user is not prompted to login again.
If our desire is to require the user login again after the cookie expiration, is that where setting the Session Sign-in frequency controls come in? Or is that something else?
Also, currently the Session option in Conditional Access policy is disabled. Is there something we need to do to enable this?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 93%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
@James Hamil Has the session option been enabled in Conditional Access for External ID (External Tenant)? It is currently greyed out for us.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 46%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENB%3C/text%3E%3C/svg%3E)
Hi @James Hamil The Session option in Conditional Access policy is disabled in Entra External ID (as @rosskoes05 & @Ryan Buening have mentioned), which prevents us from configuring the Sign-In Frequency in the way you suggested
For adjusting the refresh token lifetime, you should use Sign-In Frequency (SIF)
Note that in Entra ID (not external) Sign-In Frequency can be configured if you have P1/P2 licence. However we need the SIF to be available for our External tenant. Any suggestions on how to do that?
Whether it's through the UI, Powershell or REST requests we really need to find a way to lengthen our refresh token lifetime.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 78%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETS%3C/text%3E%3C/svg%3E)
@James Hamil This is SUPER important to us. Do you know why that Sessions section of Conditional Access Policy is disabled?