Token minimum validity period: Using Microsoft EntraId to connect to Azure Cache for Redis

Parthasarathy Vasudevan 0 Reputation points
2024-09-17T12:29:55.6333333+00:00

Hi There,

I am working on migrating from accessKey based connection to Azure Cache for Redis to Microsoft EntraId. I am using UAMI/SPN to generate the token and I am told that the Token is valid for roughly 24 hours (probably that is an overarching rule from my organisation). The nature of my application is such that we could have thousands of calls to Redis, hence waiting for the Token to expire and then refresh is not an option.

In my case, I am on a fixed schedule (every 23 hours) refresh cycle. However, I am seeing that the new token is not always 24 hours valid. Example one of it 23 hours 25 minutes, other is 23 hours 41 minutes.

My question is, what is the absolute minimum guaranteed duration that the token will be valid for. This is imperative for me, to make sure, I am not ending up in a situation where the token expires before my schedule kicks in.

Note: I don't want to eagerly validate the token on every call as that will add overhead to my calls resulting in degraded performance offering from my application.

Azure Cache for Redis
Azure Cache for Redis
An Azure service that provides access to a secure, dedicated Redis cache, managed by Microsoft.
260 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,204 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Oury Ba-MSFT 19,581 Reputation points Microsoft Employee
    2024-09-20T15:57:47.76+00:00

    @Parthasarathy Vasudevan

    Usually, token validity is set by the customer's Entra configuration.

    We are not sure what is causing the variability instead of just always exactly 24:00:00. Opening a support ticket might be helpful here.

    Regardless, if your system looks into the token to check the expiration, and starts renewal some time before it expires, there shouldn't be any problem with this variability.

    It is not expected that token renewal will fail, but there could be network glitches or another unforeseen situation that might cause this. Renewing the token in advance, seems like a reasonable precaution to take.

    We are moving towards Entra authentication more and more, and new cache creation in Portal is already defaulting to Entra ON and Access Keys OFF. So, we will encourage customers to move to Entra as it is more secure and definitely the authentication method of preference going forward.

    Regards,

    Oury


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.