Refresh Token Max Inactive Time - 90 days

[vacuvi]

Refresh Token Max Inactive Time - 90 days

As per the document https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes#refresh-and-session-token-lifetime-policy-properties:

"As of January 30, 2021 customers can not configure refresh and session token lifetimes. Azure Active Directory no longer honors refresh and session token configuration in existing policies. New tokens issued after existing tokens have expired are now set to the default configuration."

The default lifetime for refresh tokens is 90 days. I am aware that we can use CA policies https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime to configure User sign-in frequency, however, is there any explanation/justification/logic behind why 90 days was selected as the lifetime value?

Thanks.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 02ff3d62-dc0e-ad0c-f5ae-418337cf31e4
• Version Independent ID: d50952b5-6b98-c40d-d3a3-f9cbec58dd28
• Content: Configurable token lifetimes - Microsoft identity platform
• Content Source: articles/active-directory/develop/active-directory-configurable-token-lifetimes.md
• Service: active-directory
• Sub-service: develop
• GitHub Login: @rwike77
• Microsoft Alias: ryanwi

[shashishailaj]

@vacuvi Thank you for your feedback . We will investigate and update the thread.

[amanmcse]

@vacuvi Refresh tokens are long-lived tokens. The Oauth RFC doesn't specify any default value to be used for the refresh tokens. Every IDP can have its own implementation of the default lifetime but you can set/change the lifetime as per your requriement.