Learning and Sharing
  • Home
  • Blog
  • Linux
  • macOS
  • Virtualization
    • VMware
    • VirtualBox
  • Windows
    • Windows 11
    • Windows 10
    • Windows Server
  • Series
    • Symantec
    • Intune
    • Microsoft Azure
    • Powershell
    • VirtualBox
    • VMware
    • PowerShell Learning
    • Microsoft Graph
  • More
    • Auto Installation
    • AEC Installation
  • Contact
No Result
View All Result
  • Home
  • Blog
  • Linux
  • macOS
  • Virtualization
    • VMware
    • VirtualBox
  • Windows
    • Windows 11
    • Windows 10
    • Windows Server
  • Series
    • Symantec
    • Intune
    • Microsoft Azure
    • Powershell
    • VirtualBox
    • VMware
    • PowerShell Learning
    • Microsoft Graph
  • More
    • Auto Installation
    • AEC Installation
  • Contact
No Result
View All Result
No Result
View All Result

Microsoft Graph Access Token Lifetimes and Long-Running PowerShell Scripts

August 29, 2023
in Blog, Microsoft Graph, Powershell
0
ADVERTISEMENT

Table of Contents

Microsoft Graph Access Token Lifetimes

In some cases, after roughly an hour into the script, it failed with a 401 Unauthorized error. The reason is that the access token granted to the app to allow it to run Graph requests to fetch data expired, meaning that the next time the app tried to request data, the Graph refused.

Get-MgUser : Lifetime validation failed, the token is expired.
At line:1 char:1
+ Get-MgUser
+ ~~~~~~~~~~
+ CategoryInfo : InvalidOperation: ({ ConsistencyLe…ndProperty = }:<>f__AnonymousType62`8) [Get-MgUser_Li
st1], RestException`1
+ FullyQualifiedErrorId : InvalidAuthenticationToken,Microsoft.Graph.PowerShell.Cmdlets.GetMgUser_List1

The default Entra ID access token lifetime varies between 60 and 90 minutes (75 minutes on average). The variation exists on purpose to avoid cyclical spikes in demand. 

Exceptions to the rule do exist. For example, applications like SharePoint Online and OWA that support continuous access evaluation (CAE) can use tokens that last up to 28 hours. These apps support a feature known as claim challenge that is unlikely to be found in apps that execute Graph requests through PowerShell.

PS C:\> Get-MsalToken @params

AccessToken                  : eyJ0e...
IsExtendedLifeTimeToken      : False
UniqueId                     :
ExpiresOn                    : 8/25/2023 2:37:19 PM +00:00
ExtendedExpiresOn            : 8/25/2023 2:37:19 PM +00:00
TenantId                     :
Account                      :
IdToken                      :
Scopes                       : {https://graph.microsoft.com/.default}
CorrelationId                : 8e1bd09c-e8f9-4e0e-9e3a-e6ada6ce1c20
TokenType                    : Bearer
ClaimsPrincipal              :

Apps can retrieve access tokens from Entra ID using different OAuth 2.0 authentication flows, including password, device code, and authorization code. Entra ID registered apps usually use the client credentials authentication flow. The app authenticates using its own credentials instead of trying to impersonate a user. Valid app credentials include a secret known to the app, a certificate, or a certificate thumbprint.

$ClientSecret = 'v~58Q~sf0AcfemVucNGGC1yxETFejdzxgZd4taqg'
$params = @{
    ClientId = '87c980ca-a1dd-4748-98db-8007af2bdc70'
    TenantId = 'c032627b-6715-4e39-9990-bcf48ee5e0c5'
    ClientSecret = $ClientSecret | ConvertTo-SecureString -AsPlainText -Force
    AzureCloudInstance = '1'
}

$msalToken = Get-MsalToken @params

$timeNow = (Get-Date).ToUniversalTime()
$expiresOn = $msalToken.ExpiresOn.DateTime
(New-TimeSpan -Start $timeNow -End $expiresOn).TotalHours
PS C:\> (New-TimeSpan -Start $current -End $expiresOn).TotalHours
1.00044862475

The client credentials authentication flow does not include the issuance of a refresh token. The lack of a refresh token, which allows apps to silently renew access tokens, means that if you want to keep a script running, you must either:

  • Configure the tenant with a longer access token lifetime.
  • Include code in the script to fetch a new access token before the current one expires.

Configurable Entra ID Access Token Lifetimes

Entra ID supports configurable token lifetimes. This is a preview feature that can set a longer lifetime for an access token. However, the current implementation supports setting token lifetimes for all apps in an organization or for multi-tenant applications. 

For instance, the below steps create a new token lifetime policy that sets a default 8-hour token lifetime. Note the organization default setting is True, so this policy applies to all apps in the organization.

1️⃣ Connect to Microsoft Graph PowerShell with the required scope as follows:

Connect-MgGraph -Scopes Policy.ReadWrite.ApplicationConfiguration

2️⃣ Create a new Token Lifetime Policy. The below code will creat a policy with access token life time is 8-hour.

$policySettings = @{
    "definition"= @("{'TokenLifetimePolicy':{'Version': 1, 'AccessTokenLifetime': '8:00:00'}}")
    "displayName"= "Org-wide 8 Hrs AccessTokenPolicy"
    "IsOrganizationDefault" = $True
} 
New-MgPolicyTokenLifetimePolicy -BodyParameter $policySettings

You can check the policy has been created by using Get-MgPolicyTokenLifetimePolicy  cmdlet.

PS C:\Users\admin> Get-MgPolicyTokenLifetimePolicy | fl

AppliesTo             :
Definition            : {{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"4:00:00"}}}
DeletedDateTime       :
Description           :
DisplayName           : WebPolicyScenario
Id                    : 1eccd309-a795-4b79-bfaa-6617371798db
IsOrganizationDefault : False
AdditionalProperties  : {}

AppliesTo             :
Definition            : {{'TokenLifetimePolicy':{'Version': 1, 'AccessTokenLifetime': '8:00:00'}}}
DeletedDateTime       :
Description           :
DisplayName           : Org-wide 8 Hrs AccessTokenPolicy
Id                    : b47998e6-730b-48f0-a96a-b3469ebc3c8b
IsOrganizationDefault : True
AdditionalProperties  : {}

3️⃣ To test the policy, use an app to request an access token. Here is some PowerShell code to get an access token using the client credentials authentication flow. In this case, the credential is a client secret stored in the app.

$ClientSecret = 'v~58Q~sf0AcfemVucNGGC1yxETFejdzxgZd4taqg'
$params = @{
    ClientId = '87c980ca-a1dd-4748-98db-8007af2bdc70'
    TenantId = 'c032627b-6715-4e39-9990-bcf48ee5e0c5'
    ClientSecret = $ClientSecret | ConvertTo-SecureString -AsPlainText -Force
    AzureCloudInstance = '1'
}

$current = (Get-Date).ToUniversalTime()
$expiresOn = (Get-MsalToken @params).ExpiresOn.DateTime
(New-TimeSpan -Start $current -End $expiresOn).TotalHours

To verify that the token lifetime works is expected, compare the time of issuance with the expiration time. In this instance, the timespan should be 8 hours.

PS C:\> (New-TimeSpan -Start $current -End $expiresOn).TotalHours

8.00046347330555
Note Note: The access token lifetime should be not over 24 hours.
$PolicySettings = @{
    "definition"= @("{'TokenLifetimePolicy':{'Version': 1, 'AccessTokenLifetime': '28:00:00'}}")
    "displayName"= "Org-wide 24 Hrs AccessTokenPolicy"
    "IsOrganizationDefault" = $True
} 

If you try to set it over a day, you will get the below error.

New-MgPolicyTokenLifetimePolicy : Property definition has an invalid value.
Status: 400 (BadRequest)
ErrorCode: Request_BadRequest
Date: 2023-08-26T00:03:46
Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding

Although creating a token lifetime policy with a new default lifetime for the organization works, increasing token lifetime in this manner is not something to do on a whim. It would be better to be able to assign a token lifetime policy only to the apps that need to use extended token lifetimes.

Tracking Entra ID Access Token Lifetime in Scripts

The alternative is to incorporate code into scripts to track the lifetime of an access token so that the script can retrieve a new token before the old one expires. A function checks if the current time is greater than the calculated token expiration time. If it is, the script requests a new token:

function GetAccesstoken {    
    $ClientSecret = 'v~58Q~sf0AcfemVucNGGC1yxETFejdzxgZd4taqg'
    $params = @{
        ClientId = '87c980ca-a1dd-4748-98db-8007af2bdc70'
        TenantId = 'c032627b-6715-4e39-9990-bcf48ee5e0c5'
        ClientSecret = $ClientSecret | ConvertTo-SecureString -AsPlainText -Force
        AzureCloudInstance = '1'
    }
    $msalToken = Get-Msaltoken @params
    $token = $msalToken.Accesstoken
    Write-Host ("Retrieved new access token at {0}" -f (Get-Date)) -foregroundcolor red
    Return $token
}
Function Check-Accesstoken {
    $timeNow = (Get-Date).ToUniversalTime()
    if($timeNow -le $msalToken.ExpiresOn.DateTime) {
      $Global:token = GetAccesstoken
    }
    Return $token
}

$Global:token = Check-Accesstoken

The function can then be called whenever necessary within the script.

foreach (...) {
    ...
    $Global:token = Check-Accesstoken
}
PS C:\> $Global:token = Check-Accesstoken
Retrieved new access token at 8/25/2023 10:23:06 PM

This is a relatively unsophisticated mechanism, but it allows the script to process tens of thousands of groups. Variations on the theme can handle other situations.

Conclusion

The default lifetime for an access token is sufficient for most scripts. Even scripts that run dozens of Graph requests can usually complete processing in a few minutes. It is scripts that must retrieve tens of thousands of items (or even hundreds of thousands of items) that usually deal with inadequate Entra ID access token lifetimes. In those cases, you’ll be glad that methods exist to avoid the dreaded 401 Unauthorized error.

Not a reader? Watch this related video tutorial:

5/5 - (1 vote)
Previous Post

Connect-MgGraph : Cannot Bind Parameter AccessToken MSAL PowerShell

Next Post

How to Split an Email Addresses with PowerShell

Related Posts

Running Hyper-V and VMware Workstation on The Same Machine

August 15, 2024

How to Uninstall All Autodesk Products At Once Silently

July 29, 2024
Ftr5

How to Uninstall the Autodesk Genuine Service on Windows

July 29, 2024
Ftr19

How to Fix Windows Cannot Read the ProductKey From the Unattend Answer File in VirtualBox

July 26, 2024
Ftr25

How to Update Windows Terminal in Windows 10/11

July 26, 2024

How to Disable The Beep Sound in WSL Terminal on Windows

July 26, 2024

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • How To Turn On uBlock Origin Extension in Chrome (2025)
  • Images Hidden Due To Mature Content Settings In CivitAI
  • Azure OpenAI vs Azure AI Hub, How to Choose the Right One for Your Needs

Categories

Stay in Touch

Discord Server

Join the Discord server with the site members for all questions and discussions.

Telegram Community

Jump in Telegram server. Ask questions and discuss everything with the site members.

Youtube Channel

Watch more videos, learning and sharing with Leo ❤❤❤. Sharing to be better.

Newsletter

Join the movement and receive our weekly Tech related newsletter. It’s Free.

General

Microsoft Windows

Microsoft Office

VMware

VirtualBox

Technology

PowerShell

Microsoft 365

Microsoft Teams

Email Servers

Copyright 2025 © All rights Reserved. Design by Leo with ❤

No Result
View All Result
  • Home
  • Linux
  • Intune
  • macOS
  • VMware
  • VirtualBox
  • Powershell
  • Windows 10
  • Windows 11
  • Microsoft 365
  • Microsoft Azure
  • Microsoft Office
  • Active Directory

No Result
View All Result
  • Home
  • Linux
  • Intune
  • macOS
  • VMware
  • VirtualBox
  • Powershell
  • Windows 10
  • Windows 11
  • Microsoft 365
  • Microsoft Azure
  • Microsoft Office
  • Active Directory