MicrosoftDocs
Access token expiration
More information on access token expiration would be desirable. I had the following questions: When a new access token is issued ( it seems is not issued when you call the endpoint) As far as I understand I am supposed to implement a retry logic in my application so that it gets a new token when it got a connection failure (because the token is expired). What do I need to do to prevent retries? Can I get a new access token before the old one is expired. If yes, how can I do this and what is the time span between the tokens.
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
- ID: aaf35ebc-b14e-167f-9f73-c7df4d2b60b5
- Version Independent ID: 32e1d780-ca81-a67c-1af0-b7f0bfc8149c
- Content: Use managed identities on a virtual machine to acquire access token - Microsoft Entra
- Content Source: articles/active-directory/managed-identities-azure-resources/how-to-use-vm-token.md
- Service: active-directory
- Sub-service: msi
- GitHub Login: @barclayn
- Microsoft Alias: barclayn
@schwichti Thanks for your feedback! We will investigate and update as appropriate.
@schwichti Thank you for your question. When a new access token is issued, it is typically done when the previous token has expired. The expiration time of the access token is set by the Azure AD service and can be configured by the administrator. The default expiration time for an access token is 1 hour.
To prevent retries, you can implement a retry logic in your application that checks if the access token is still valid before making a request. If the access token is expired, your application can request a new access token before making the request. You can get a new access token before the old one is expired by using the refresh token. The refresh token is a long-lived token that can be used to obtain a new access token without requiring the user to sign in again.
To use the refresh token, you can make a request to the Azure AD token endpoint with the refresh token and the client ID and client secret of your application. The response will include a new access token and a new refresh token. The time span between the tokens depends on the expiration time set by the Azure AD service.
@ManoharLakkoju-MSFT thanks for the quick reply. The document says that the refresh token is "not used by managed identities for Azure resources." It seems that the access token I got from http://169.254.169.254/metadata/identity/oauth2/token are valid 24h.
When a new access token is issued, it is typically done when the previous token has expired.
does this imply that there can be a short period where the old access token has expired and the new access token has not been issued yet?
@schwichti I'm going to assign this to the document author so they can take a look at it accordingly
@barclayn Can you please check and add your comments on this doc update request as applicable.
@schwichti thank you for reaching out. I have created a work item to track internally and update the article with additional detail. In the meantime, if you still have questions please contact Microsoft support. #please-close
