配置令牌生存期策略(预览版)Configure token lifetime policies (preview)

如果能够创建和管理应用、服务主体和整个组织的令牌生存期,就可以在 Azure AD 中实现各种新的方案。Many scenarios are possible in Azure AD when you can create and manage token lifetimes for apps, service principals, and your overall organization.

重要

在预览期间收到客户反馈后,我们已经在 Azure AD 条件访问中实现了身份验证会话管理功能。After hearing from customers during the preview, we've implemented authentication session management capabilities in Azure AD Conditional Access. 你可以使用此新功能,通过设置登录频率来配置刷新令牌生存期。You can use this new feature to configure refresh token lifetimes by setting sign in frequency. 在 2020 年 5 月 30 日之后,任何新租户都将无法再使用可配置的令牌生存期策略来配置会话和刷新令牌。After May 30, 2020 no new tenant will be able to use configurable token lifetime policy to configure session and refresh tokens. 弃用将会在该日期之后的几个月内发生,这意味着我们将会停止遵循现有的会话和刷新令牌策略。The deprecation will happen within several months after that, which means that we will stop honoring existing session and refresh tokens polices. 在弃用之后,你仍然可以配置访问令牌生存期。You can still configure access token lifetimes after the deprecation.

本部分逐步讲解一些常见的策略方案,帮助你针对以下属性实施新规则:In this section, we walk through a few common policy scenarios that can help you impose new rules for:

  • 令牌生存期Token lifetime
  • 令牌最大非活动时间Token max inactive time
  • 令牌最长时间Token max age

通过这些示例,可以了解如何执行以下操作:In the examples, you can learn how to:

  • 管理组织的默认策略Manage an organization's default policy
  • 为 Web 登录创建策略Create a policy for web sign-in
  • 为调用 Web API 的本机应用创建策略Create a policy for a native app that calls a web API
  • 管理高级策略Manage an advanced policy

先决条件Prerequisites

以下示例演示如何创建、更新、链接和删除应用、服务主体和整个组织的策略。In the following examples, you create, update, link, and delete policies for apps, service principals, and your overall organization. 如果不熟悉 Azure AD,建议在使用这些示例之前,先了解如何获取 Azure AD 租户If you are new to Azure AD, we recommend that you learn about how to get an Azure AD tenant before you proceed with these examples.

若要开始,请执行以下步骤:To get started, do the following steps:

  1. 下载最新的 Azure AD PowerShell 模块公共预览版Download the latest Azure AD PowerShell Module Public Preview release.

  2. 运行 Connect 命令登录到 Azure AD 管理员帐户。Run the Connect command to sign in to your Azure AD admin account. 每次启动新会话都需要运行此命令。Run this command each time you start a new session.

    Connect-AzureAD -AzureEnvironmentName AzureChinaCloud -Confirm 
    
  3. 若要查看组织中创建的所有策略,请运行以下命令。To see all policies that have been created in your organization, run the following command. 执行以下方案中的大多数操作之后,都要运行此命令。Run this command after most operations in the following scenarios. 运行此命令还可帮助获取策略的 ** **。Running the command also helps you get the ** ** of your policies.

    Get-AzureADPolicy
    

管理组织的默认策略Manage an organization's default policy

本示例将创建一个策略,使用户以更低的频率在整个组织中登录。In this example, you create a policy that lets your users' sign in less frequently across your entire organization. 为此,可以为单因素刷新令牌创建一个令牌生存期策略,该策略应用于整个组织。To do this, create a token lifetime policy for single-factor refresh tokens, which is applied across your organization. 此策略将应用到组织中的每个应用程序,以及尚未设置策略的每个服务主体。The policy is applied to every application in your organization, and to each service principal that doesn’t already have a policy set.

  1. 创建令牌生存期策略。Create a token lifetime policy.

    1. 将单因素刷新令牌设置为“until-revoked”。Set the single-factor refresh token to "until-revoked." 在吊销访问权限之前该令牌不会过期。The token doesn't expire until access is revoked. 创建以下策略定义:Create the following policy definition:

      @('{
          "TokenLifetimePolicy":
          {
              "Version":1,
              "MaxAgeSingleFactor":"until-revoked"
          }
      }')
      
    2. 若要创建该策略,请运行 New-AzureADPolicy cmdlet:To create the policy, run the New-AzureADPolicy cmdlet:

      $policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1, "MaxAgeSingleFactor":"until-revoked"}}') -DisplayName "OrganizationDefaultPolicyScenario" -IsOrganizationDefault $true -Type "TokenLifetimePolicy"
      
    3. 若要删除任何空格,请运行 Get-AzureADPolicy cmdlet:To remove any whitespace, run the Get-AzureADPolicy cmdlet:

      Get-AzureADPolicy -id | set-azureadpolicy -Definition @($((Get-AzureADPolicy -id ).Replace(" ","")))
      
    4. 若要查看新策略并获取其 ObjectId ,请运行以下命令:To see your new policy, and to get the policy's ObjectId , run the following command:

      Get-AzureADPolicy -Id $policy.Id
      
  2. 更新策略。Update the policy.

    假设在本示例中创建的第一个策略不像服务要求的那样严格。You might decide that the first policy you set in this example is not as strict as your service requires. 若要将单因素刷新令牌设置为在两天后过期,请运行以下命令:To set your single-factor refresh token to expire in two days, run the following command:

    Set-AzureADPolicy -Id $policy.Id -DisplayName $policy.DisplayName -Definition @('{"TokenLifetimePolicy":{"Version":1,"MaxAgeSingleFactor":"2.00:00:00"}}')
    

为 Web 登录创建策略Create a policy for web sign-in

本示例创建一个要求用户更频繁地在 Web 应用中进行身份验证的策略。In this example, you create a policy that requires users to authenticate more frequently in your web app. 此策略会针对 Web 应用的服务主体设置访问/ID 令牌的生存期以及多因素会话令牌的最大期限。This policy sets the lifetime of the access/ID tokens and the max age of a multi-factor session token to the service principal of your web app.

  1. 创建令牌生存期策略。Create a token lifetime policy.

    这个用于 Web 登录的策略将访问/ID 令牌生存期和单因素会话令牌最大期限设置为 2 小时。This policy, for web sign-in, sets the access/ID token lifetime and the max single-factor session token age to two hours.

    1. 若要创建该策略,请运行 New-AzureADPolicy cmdlet:To create the policy, run the New-AzureADPolicy cmdlet:

      $policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"02:00:00","MaxAgeSessionSingleFactor":"02:00:00"}}') -DisplayName "WebPolicyScenario" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
      
    2. 若要查看新策略并获取策略 ObjectId,请运行 Get-AzureADPolicy cmdlet:To see your new policy, and to get the policy ObjectId , run the Get-AzureADPolicy cmdlet:

      Get-AzureADPolicy -Id $policy.Id
      
  2. 将策略分配到服务主体。Assign the policy to your service principal. 还需要获取服务主体的 ObjectId。You also need to get the ObjectId of your service principal.

    1. 请使用 Get-AzureADServicePrincipal cmdlet 来查看组织的所有服务主体或某一个服务主体。Use the Get-AzureADServicePrincipal cmdlet to see all your organization's service principals or a single service principal.

      # Get ID of the service principal
      $sp = Get-AzureADServicePrincipal -Filter "DisplayName eq '<service principal display name>'"
      
    2. 如果你有服务主体,请运行 Add-AzureADServicePrincipalPolicy cmdlet:When you have the service principal, run the Add-AzureADServicePrincipalPolicy cmdlet:

      # Assign policy to a service principal
      Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id
      

为调用 Web API 的本机应用创建策略Create a policy for a native app that calls a web API

本示例创建一个不要求用户太频繁进行身份验证的策略。In this example, you create a policy that requires users to authenticate less frequently. 该策略还可延长用户可保持非活动状态、不必再次身份验证的时间。The policy also lengthens the amount of time a user can be inactive before the user must reauthenticate. 该策略将应用到 Web API。The policy is applied to the web API. 当本机应用以资源形式请求 Web API 时,将应用此策略。When the native app requests the web API as a resource, this policy is applied.

  1. 创建令牌生存期策略。Create a token lifetime policy.

    1. 若要为 Web API 创建严格策略,请运行 New-AzureADPolicy cmdlet:To create a strict policy for a web API, run the New-AzureADPolicy cmdlet:

      $policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"MaxInactiveTime":"30.00:00:00","MaxAgeMultiFactor":"until-revoked","MaxAgeSingleFactor":"180.00:00:00"}}') -DisplayName "WebApiDefaultPolicyScenario" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
      
    2. 若要查看新策略,请运行以下命令:To see your new policy, run the following command:

      Get-AzureADPolicy -Id $policy.Id
      
  2. 将策略分配到 Web API。Assign the policy to your web API. 还需要获取应用程序的 ObjectIdYou also need to get the ObjectId of your application. 请使用 Get-AzureADApplication cmdlet 来查找应用的 ObjectId,或使用 Azure 门户Use the Get-AzureADApplication cmdlet to find your app's ObjectId , or use the Azure portal.

    获取应用的 ObjectId 并分配该策略:Get the ObjectId of your app and assign the policy:

    # Get the application
    $app = Get-AzureADApplication -Filter "DisplayName eq 'Fourth Coffee Web API'"
    
    # Assign the policy to your web API.
    Add-AzureADApplicationPolicy -Id $app.ObjectId -RefObjectId $policy.Id
    

管理高级策略Manage an advanced policy

本示例创建几个策略来演示优先级系统的工作原理。In this example, you create a few policies to learn how the priority system works. 此外,你还可以了解如何管理应用于多个对象的多个策略。You also learn how to manage multiple policies that are applied to several objects.

  1. 创建令牌生存期策略。Create a token lifetime policy.

    1. 若要创建一个将单因素刷新令牌生存期设置为 30 天的组织默认策略,请运行 New-AzureADPolicy cmdlet:To create an organization default policy that sets the single-factor refresh token lifetime to 30 days, run the New-AzureADPolicy cmdlet:

      $policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"MaxAgeSingleFactor":"30.00:00:00"}}') -DisplayName "ComplexPolicyScenario" -IsOrganizationDefault $true -Type "TokenLifetimePolicy"
      
    2. 若要查看新策略,请运行 Get-AzureADPolicy cmdlet:To see your new policy, run the Get-AzureADPolicy cmdlet:

      Get-AzureADPolicy -Id $policy.Id
      
  2. 将策略分配到服务主体。Assign the policy to a service principal.

    现已创建一个要应用到整个组织的策略。Now, you have a policy that applies to the entire organization. 可能想要为特定的服务主体保留这个 30 天策略,但要将组织默认策略更改为上限“直到吊销”。You might want to preserve this 30-day policy for a specific service principal, but change the organization default policy to the upper limit of "until-revoked."

    1. 若要查看组织的所有服务主体,请使用 Get-AzureADServicePrincipal cmdlet。To see all your organization's service principals, you use the Get-AzureADServicePrincipal cmdlet.

    2. 如果你有服务主体,请运行 Add-AzureADServicePrincipalPolicy cmdlet:When you have the service principal, run the Add-AzureADServicePrincipalPolicy cmdlet:

      # Get ID of the service principal
      $sp = Get-AzureADServicePrincipal -Filter "DisplayName eq '<service principal display name>'"
      
      # Assign policy to a service principal
      Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id
      
  3. IsOrganizationDefault 标志设置为 false:Set the IsOrganizationDefault flag to false:

    Set-AzureADPolicy -Id $policy.Id -DisplayName "ComplexPolicyScenario" -IsOrganizationDefault $false
    
  4. 创建新的组织默认策略:Create a new organization default policy:

    New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"MaxAgeSingleFactor":"until-revoked"}}') -DisplayName "ComplexPolicyScenarioTwo" -IsOrganizationDefault $true -Type "TokenLifetimePolicy"
    

    现在,已将原始策略链接到服务主体,已将新策略设置为组织默认策略。You now have the original policy linked to your service principal, and the new policy is set as your organization default policy. 请务必记住,应用到服务主体的策略优先级高于组织默认策略。It's important to remember that policies applied to service principals have priority over organization default policies.