Update EMU-OIDC-tokenlifetime-policy.md

taeul · taeul · commit 00c1285f8f0b · 2023-11-03T13:45:22.000-04:00
diff --git a/microsoft-graph-api/EMU-OIDC-tokenlifetime-policy.md b/microsoft-graph-api/EMU-OIDC-tokenlifetime-policy.md
@@ -3,7 +3,9 @@
 
 This is applicable to GitHub Enterprise Cloud enterprises that are enabled for [enterprise managed users (EMUs) and using Azure AD/Entra OIDC authentication](https://docs.github.com/en/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-oidc-for-enterprise-managed-users).
 
-[You can adjust the lifetime of a session, and how often a managed user account needs to reauthenticate with your IdP, by changing the lifetime policy property of the ID tokens issued for GitHub from your IdP. The default lifetime is one hour](https://docs.github.com/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-oidc-for-enterprise-managed-users#about-oidc-for-enterprise-managed-users). Our GitHub public documentation currently links [to this Microsoft article](https://learn.microsoft.com/en-us/entra/identity-platform/configure-token-lifetimes) for configuring this ID token lifetime policy; however, the PowerShell steps in that Microsoft article will not allow you to assign a token lifetime policy to the GitHub Enterprise Managed User (OIDC) app based on `ServicePrincipal Id` rather than application object `Id`. The token lifetime policy needs to be assigned to the `ServicePrincipal Id` of the app because this is the local representation of this multi-tenant app in your Azure AD/Entra tenant. It does not appear that the current PowerShell `cmdlets` will allow you to do this for a multi-tenant app, however the [MS Graph API](https://learn.microsoft.com/en-us/graph/use-the-api) will allow you to do this.
+You can adjust the lifetime of a session, and how often a managed user account needs to reauthenticate with your IdP, by changing the lifetime policy property of the ID tokens issued for GitHub from your IdP. [The default lifetime is one hour](https://docs.github.com/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-oidc-for-enterprise-managed-users#about-oidc-for-enterprise-managed-users). The steps that an Entra ID admin can follow to create and assign a token lifetime policy to the ID of the Service Principal object associated with the `GitHub Enterprise Managed User (OIDC)` app this are in [this section](https://learn.microsoft.com/en-us/entra/identity-platform/configure-token-lifetimes#create-a-policy-and-assign-it-to-a-service-principal) of the Microsoft "Configure token lifetime policies" article. 
+
+The `GitHub Enterprise Managed User (OIDC)` app is a multi-tenant app, and when an admin configures OIDC authentication for an enterprise, it registers an instance of this app in the admin's tenant. The token lifetime policy needs to be assigned to the ID of the **Service Principal** object associated with the `GitHub Enterprise Managed User (OIDC)` app (rather than the application ID). Note that the PowerShell steps in [this section of that Microsoft article](https://learn.microsoft.com/en-us/entra/identity-platform/configure-token-lifetimes#create-a-policy-and-assign-it-to-an-app) will not allow you to do this, however the [MS Graph API](https://learn.microsoft.com/en-us/graph/use-the-api) will allow you to configure and assign a token lifetime policy to the Service Principal ID of the instance of the OIDC app in your Entra tenant. 
 
 ## MS Graph Explorer steps for creating a `tokenLifetimePolicy` and assigning it to the GitHub Enterprise Managed User (OIDC) app in Azure AD/Entra
 
