Managing Timeouts for SharePoint and Azure AD integrations

Many companies still have SharePoint on-premises. Some of them have Azure Active Directory integrated with their SharePoint on-premises environment. This can be achieved quite easily by  following the steps described in this article:

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial

In this article a custom solution AzureCP is used to configure SharePoint with the claims provider for Azure AD. I do recommend using this solution. Very easy to set up and great support by Yvan Duhamel (did you know he is an Escalation Support Engineer for SharePoint at Microsoft?)

Timeouts

Recently, I have set up a SharePoint 2019 environment for a customer with Azure AD integrated. After a week the customer told me they experienced too many logins during the day. It seemed that after 30 minutes idle time or so, they had to login again.

We did some tests and indeed after 30 minutes we had to login again. It seemed that this was something due to token lifetime.

Azure Policy

Since authentication and authorization is done with Azure AD and the registered application for SharePoint On-Premises we found a solution with Azure Policies. You can specify the lifetime of a token issued by Azure Active Directory using such a policy.

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes

Although, the defaults shows much longer lifetimes then we experienced at the customer, we decided to create our own policy for SharePoint.

# Connect to your Azure AD
Connect-AzureAD

# Create a new AzureAD Policy defining your TokenLifeTime settings
$policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"08:00:00","MaxAgeSessionSingleFactor":"08:00:00"}}') -DisplayName "WebPolicyScenario" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
                            
# Get the reference to your SharePoint OnPremises enterprise application in AzureAD
$sp = Get-AzureADServicePrincipal -Filter "DisplayName eq 'SharePoint On-Premises'"

# Assign your policy to the SharePoint OnPremises enterprise application
Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id

With the above example we have set the token lifetime to 8 hours for the SharePoint On-premises environment. Now, the customer does not experience so many logins.

Share