Table of Contents
Microsoft Graph Access Token Lifetimes
In some cases, after roughly an hour into the script, it failed with a 401 Unauthorized error. The reason is that the access token granted to the app to allow it to run Graph requests to fetch data expired, meaning that the next time the app tried to request data, the Graph refused.
Get-MgUser : Lifetime validation failed, the token is expired.
At line:1 char:1
+ Get-MgUser
+ ~~~~~~~~~~
+ CategoryInfo : InvalidOperation: ({ ConsistencyLe…ndProperty = }:<>f__AnonymousType62`8) [Get-MgUser_Li
st1], RestException`1
+ FullyQualifiedErrorId : InvalidAuthenticationToken,Microsoft.Graph.PowerShell.Cmdlets.GetMgUser_List1
The default Entra ID access token lifetime varies between 60 and 90 minutes (75 minutes on average). The variation exists on purpose to avoid cyclical spikes in demand.
Exceptions to the rule do exist. For example, applications like SharePoint Online and OWA that support continuous access evaluation (CAE) can use tokens that last up to 28 hours. These apps support a feature known as claim challenge that is unlikely to be found in apps that execute Graph requests through PowerShell.
PS C:\> Get-MsalToken @params
AccessToken : eyJ0e...
IsExtendedLifeTimeToken : False
UniqueId :
ExpiresOn : 8/25/2023 2:37:19 PM +00:00
ExtendedExpiresOn : 8/25/2023 2:37:19 PM +00:00
TenantId :
Account :
IdToken :
Scopes : {https://graph.microsoft.com/.default}
CorrelationId : 8e1bd09c-e8f9-4e0e-9e3a-e6ada6ce1c20
TokenType : Bearer
ClaimsPrincipal :Apps can retrieve access tokens from Entra ID using different OAuth 2.0 authentication flows, including password, device code, and authorization code. Entra ID registered apps usually use the client credentials authentication flow. The app authenticates using its own credentials instead of trying to impersonate a user. Valid app credentials include a secret known to the app, a certificate, or a certificate thumbprint.
$ClientSecret = 'v~58Q~sf0AcfemVucNGGC1yxETFejdzxgZd4taqg'
$params = @{
ClientId = '87c980ca-a1dd-4748-98db-8007af2bdc70'
TenantId = 'c032627b-6715-4e39-9990-bcf48ee5e0c5'
ClientSecret = $ClientSecret | ConvertTo-SecureString -AsPlainText -Force
AzureCloudInstance = '1'
}
$msalToken = Get-MsalToken @params
$timeNow = (Get-Date).ToUniversalTime()
$expiresOn = $msalToken.ExpiresOn.DateTime
(New-TimeSpan -Start $timeNow -End $expiresOn).TotalHoursPS C:\> (New-TimeSpan -Start $current -End $expiresOn).TotalHours
1.00044862475The client credentials authentication flow does not include the issuance of a refresh token. The lack of a refresh token, which allows apps to silently renew access tokens, means that if you want to keep a script running, you must either:
- Configure the tenant with a longer access token lifetime.
- Include code in the script to fetch a new access token before the current one expires.
Configurable Entra ID Access Token Lifetimes
Entra ID supports configurable token lifetimes. This is a preview feature that can set a longer lifetime for an access token. However, the current implementation supports setting token lifetimes for all apps in an organization or for multi-tenant applications.
For instance, the below steps create a new token lifetime policy that sets a default 8-hour token lifetime. Note the organization default setting is True, so this policy applies to all apps in the organization.
1️⃣ Connect to Microsoft Graph PowerShell with the required scope as follows:
Connect-MgGraph -Scopes Policy.ReadWrite.ApplicationConfiguration2️⃣ Create a new Token Lifetime Policy. The below code will creat a policy with access token life time is 8-hour.
$policySettings = @{
"definition"= @("{'TokenLifetimePolicy':{'Version': 1, 'AccessTokenLifetime': '8:00:00'}}")
"displayName"= "Org-wide 8 Hrs AccessTokenPolicy"
"IsOrganizationDefault" = $True
}
New-MgPolicyTokenLifetimePolicy -BodyParameter $policySettingsYou can check the policy has been created by using Get-MgPolicyTokenLifetimePolicy cmdlet.
PS C:\Users\admin> Get-MgPolicyTokenLifetimePolicy | fl
AppliesTo :
Definition : {{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"4:00:00"}}}
DeletedDateTime :
Description :
DisplayName : WebPolicyScenario
Id : 1eccd309-a795-4b79-bfaa-6617371798db
IsOrganizationDefault : False
AdditionalProperties : {}
AppliesTo :
Definition : {{'TokenLifetimePolicy':{'Version': 1, 'AccessTokenLifetime': '8:00:00'}}}
DeletedDateTime :
Description :
DisplayName : Org-wide 8 Hrs AccessTokenPolicy
Id : b47998e6-730b-48f0-a96a-b3469ebc3c8b
IsOrganizationDefault : True
AdditionalProperties : {}3️⃣ To test the policy, use an app to request an access token. Here is some PowerShell code to get an access token using the client credentials authentication flow. In this case, the credential is a client secret stored in the app.
$ClientSecret = 'v~58Q~sf0AcfemVucNGGC1yxETFejdzxgZd4taqg'
$params = @{
ClientId = '87c980ca-a1dd-4748-98db-8007af2bdc70'
TenantId = 'c032627b-6715-4e39-9990-bcf48ee5e0c5'
ClientSecret = $ClientSecret | ConvertTo-SecureString -AsPlainText -Force
AzureCloudInstance = '1'
}
$current = (Get-Date).ToUniversalTime()
$expiresOn = (Get-MsalToken @params).ExpiresOn.DateTime
(New-TimeSpan -Start $current -End $expiresOn).TotalHoursTo verify that the token lifetime works is expected, compare the time of issuance with the expiration time. In this instance, the timespan should be 8 hours.
PS C:\> (New-TimeSpan -Start $current -End $expiresOn).TotalHours
8.00046347330555$PolicySettings = @{
"definition"= @("{'TokenLifetimePolicy':{'Version': 1, 'AccessTokenLifetime': '28:00:00'}}")
"displayName"= "Org-wide 24 Hrs AccessTokenPolicy"
"IsOrganizationDefault" = $True
} If you try to set it over a day, you will get the below error.
New-MgPolicyTokenLifetimePolicy : Property definition has an invalid value.
Status: 400 (BadRequest)
ErrorCode: Request_BadRequest
Date: 2023-08-26T00:03:46
Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Although creating a token lifetime policy with a new default lifetime for the organization works, increasing token lifetime in this manner is not something to do on a whim. It would be better to be able to assign a token lifetime policy only to the apps that need to use extended token lifetimes.
Tracking Entra ID Access Token Lifetime in Scripts
The alternative is to incorporate code into scripts to track the lifetime of an access token so that the script can retrieve a new token before the old one expires. A function checks if the current time is greater than the calculated token expiration time. If it is, the script requests a new token:
function GetAccesstoken {
$ClientSecret = 'v~58Q~sf0AcfemVucNGGC1yxETFejdzxgZd4taqg'
$params = @{
ClientId = '87c980ca-a1dd-4748-98db-8007af2bdc70'
TenantId = 'c032627b-6715-4e39-9990-bcf48ee5e0c5'
ClientSecret = $ClientSecret | ConvertTo-SecureString -AsPlainText -Force
AzureCloudInstance = '1'
}
$msalToken = Get-Msaltoken @params
$token = $msalToken.Accesstoken
Write-Host ("Retrieved new access token at {0}" -f (Get-Date)) -foregroundcolor red
Return $token
}
Function Check-Accesstoken {
$timeNow = (Get-Date).ToUniversalTime()
if($timeNow -le $msalToken.ExpiresOn.DateTime) {
$Global:token = GetAccesstoken
}
Return $token
}
$Global:token = Check-Accesstoken
The function can then be called whenever necessary within the script.
foreach (...) {
...
$Global:token = Check-Accesstoken
}PS C:\> $Global:token = Check-Accesstoken
Retrieved new access token at 8/25/2023 10:23:06 PMThis is a relatively unsophisticated mechanism, but it allows the script to process tens of thousands of groups. Variations on the theme can handle other situations.
Conclusion
The default lifetime for an access token is sufficient for most scripts. Even scripts that run dozens of Graph requests can usually complete processing in a few minutes. It is scripts that must retrieve tens of thousands of items (or even hundreds of thousands of items) that usually deal with inadequate Entra ID access token lifetimes. In those cases, you’ll be glad that methods exist to avoid the dreaded 401 Unauthorized error.
Not a reader? Watch this related video tutorial:
