https://communities.sas.com/t5/Administration-and-Deployment/SAS-Viya-gMSA-Scheduling-and-Refresh-Token-Behavior/m-p/987051#M30807 <P data-end="373" data-start="259"><FONT size="2">Hello All,</FONT></P> <P data-end="373" data-start="259">&nbsp;</P> <P data-end="373" data-start="259"><FONT size="2">This is regarding our implementation of a Group Managed Service Account (gMSA) in our latest SAS Viya environment.</FONT></P> <P data-end="373" data-start="259">&nbsp;</P> <P data-end="627" data-start="375"><FONT size="2">We have created a service account in Entra and provisioned it to SAS via SCIM for scheduling purposes. Based on this, we are planning to use a gMSA-style approach where a group of users from our OPS team can schedule jobs using this service account.</FONT></P> <H3 data-end="647" data-start="629" data-section-id="5hh6du"><FONT size="2">Current setup:</FONT></H3> <OL data-end="973" data-start="648"> <LI data-end="750" data-start="648" data-section-id="1k1yekv"><FONT size="2">Created a service account and added it to a custom group: “Service Account User for Schedule”</FONT></LI> <LI data-end="831" data-start="751" data-section-id="vknxi5"><FONT size="2">Created an Entra ID group: OPS_Schedule_Team and added relevant members&nbsp; and then provisioned to SAS</FONT></LI> <LI data-end="973" data-start="832" data-section-id="10t8xtm"><FONT size="2">Logged in via CLI using the service account and executed the following commands to create the authentication domain and store credentials:</FONT></LI> </OL> <PRE><FONT size="2">sas-viya credentials domains create --domain-id Scheduling_OPS_TokenAuth --type oauth2.0 sas-viya credentials groups create --domain-id Scheduling_OPS_TokenAuth --identity-id OPS_Schedule_Team --allowed-client sas.scheduler --allowed-client sas.jobExecution --allowed-client sas.jobFlowScheduling</FONT></PRE> <P>&nbsp;</P> <UL> <LI data-end="1441" data-start="1282" data-section-id="164l7hy"><FONT size="2">The domain was created successfully, and I can see an entry in the credentials store for this authentication domain with identity as OPS_Schedule_Team</FONT></LI> <LI data-end="1627" data-start="1442" data-section-id="wvq6g2"><FONT size="2">In SAS Environment Manager, users in the OPS team are able to select the service account under the “Run as” option when scheduling jobs. Everything is working as expected so far.</FONT></LI> </UL> <P data-end="1801" data-start="1643"><FONT size="2">Going forward, we will not be logging in interactively using the service account. Instead, OPS team members will schedule jobs using it via the gMSA approach.</FONT></P> <P data-end="1801" data-start="1643">&nbsp;</P> <P data-end="1860" data-start="1803"><FONT size="2">My question is regarding the refresh token lifecycle:</FONT></P> <P data-end="1860" data-start="1803">&nbsp;</P> <UL data-end="2536" data-start="1862"> <LI data-end="2044" data-start="1862" data-section-id="vherz3"><FONT size="2">Since we are not logging in interactively with the service account, will scheduled jobs continue to run only until the refresh token remains valid? Is this understanding correct?</FONT></LI> <LI data-end="2185" data-start="2045" data-section-id="sc8qqp"><FONT size="2">If the refresh token expires, what is the recommended way to automate token renewal for the service account without manual intervention?</FONT></LI> <LI data-end="2185" data-start="2045" data-section-id="sc8qqp"><FONT size="2">I came across this document:<A href="https://communities.sas.com/t5/SAS-Communities-Library/SAS-Viya-2023-07-Run-As-Authentication-Update/ta-p/893085" target="_blank">https://communities.sas.com/t5/SAS-Communities-Library/SAS-Viya-2023-07-Run-As-Authentication-Update/ta-p/893085</A>&nbsp;It mentions a scheduled job for automatic token rotation, but it appears to apply only up to the 2023.11 release. We are currently on the 2026.03 release—has this approach changed in newer versions?</FONT></LI> </UL> <H3 data-end="2567" data-start="2538" data-section-id="1kedncx"><FONT size="2">Additional clarification:</FONT></H3> <P data-end="2865" data-start="2568"><FONT size="2">If we do not use the gMSA approach and instead log in interactively with the service account to schedule jobs, would we face the same issue? For example, if a job is scheduled daily and no one logs in again for an extended period, will the job continue to run only until the refresh token expires?</FONT></P> <P data-end="2865" data-start="2568">&nbsp;</P> <P data-end="2950" data-start="2867"><FONT size="2">Any clarification or best practices around this setup would be greatly appreciated.&nbsp;</FONT><FONT size="2">Thanks in advance.</FONT></P> <P>&nbsp;</P> Fri, 01 May 2026 09:25:55 GMT freshstarter 2026-05-01T09:25:55Z https://communities.sas.com/t5/Administration-and-Deployment/SAS-Viya-gMSA-Scheduling-and-Refresh-Token-Behavior/m-p/987051#M30807 <P data-end="373" data-start="259"><FONT size="2">Hello All,</FONT></P> <P data-end="373" data-start="259">&nbsp;</P> <P data-end="373" data-start="259"><FONT size="2">This is regarding our implementation of a Group Managed Service Account (gMSA) in our latest SAS Viya environment.</FONT></P> <P data-end="373" data-start="259">&nbsp;</P> <P data-end="627" data-start="375"><FONT size="2">We have created a service account in Entra and provisioned it to SAS via SCIM for scheduling purposes. Based on this, we are planning to use a gMSA-style approach where a group of users from our OPS team can schedule jobs using this service account.</FONT></P> <H3 data-end="647" data-start="629" data-section-id="5hh6du"><FONT size="2">Current setup:</FONT></H3> <OL data-end="973" data-start="648"> <LI data-end="750" data-start="648" data-section-id="1k1yekv"><FONT size="2">Created a service account and added it to a custom group: “Service Account User for Schedule”</FONT></LI> <LI data-end="831" data-start="751" data-section-id="vknxi5"><FONT size="2">Created an Entra ID group: OPS_Schedule_Team and added relevant members&nbsp; and then provisioned to SAS</FONT></LI> <LI data-end="973" data-start="832" data-section-id="10t8xtm"><FONT size="2">Logged in via CLI using the service account and executed the following commands to create the authentication domain and store credentials:</FONT></LI> </OL> <PRE><FONT size="2">sas-viya credentials domains create --domain-id Scheduling_OPS_TokenAuth --type oauth2.0 sas-viya credentials groups create --domain-id Scheduling_OPS_TokenAuth --identity-id OPS_Schedule_Team --allowed-client sas.scheduler --allowed-client sas.jobExecution --allowed-client sas.jobFlowScheduling</FONT></PRE> <P>&nbsp;</P> <UL> <LI data-end="1441" data-start="1282" data-section-id="164l7hy"><FONT size="2">The domain was created successfully, and I can see an entry in the credentials store for this authentication domain with identity as OPS_Schedule_Team</FONT></LI> <LI data-end="1627" data-start="1442" data-section-id="wvq6g2"><FONT size="2">In SAS Environment Manager, users in the OPS team are able to select the service account under the “Run as” option when scheduling jobs. Everything is working as expected so far.</FONT></LI> </UL> <P data-end="1801" data-start="1643"><FONT size="2">Going forward, we will not be logging in interactively using the service account. Instead, OPS team members will schedule jobs using it via the gMSA approach.</FONT></P> <P data-end="1801" data-start="1643">&nbsp;</P> <P data-end="1860" data-start="1803"><FONT size="2">My question is regarding the refresh token lifecycle:</FONT></P> <P data-end="1860" data-start="1803">&nbsp;</P> <UL data-end="2536" data-start="1862"> <LI data-end="2044" data-start="1862" data-section-id="vherz3"><FONT size="2">Since we are not logging in interactively with the service account, will scheduled jobs continue to run only until the refresh token remains valid? Is this understanding correct?</FONT></LI> <LI data-end="2185" data-start="2045" data-section-id="sc8qqp"><FONT size="2">If the refresh token expires, what is the recommended way to automate token renewal for the service account without manual intervention?</FONT></LI> <LI data-end="2185" data-start="2045" data-section-id="sc8qqp"><FONT size="2">I came across this document:<A href="https://communities.sas.com/t5/SAS-Communities-Library/SAS-Viya-2023-07-Run-As-Authentication-Update/ta-p/893085" target="_blank">https://communities.sas.com/t5/SAS-Communities-Library/SAS-Viya-2023-07-Run-As-Authentication-Update/ta-p/893085</A>&nbsp;It mentions a scheduled job for automatic token rotation, but it appears to apply only up to the 2023.11 release. We are currently on the 2026.03 release—has this approach changed in newer versions?</FONT></LI> </UL> <H3 data-end="2567" data-start="2538" data-section-id="1kedncx"><FONT size="2">Additional clarification:</FONT></H3> <P data-end="2865" data-start="2568"><FONT size="2">If we do not use the gMSA approach and instead log in interactively with the service account to schedule jobs, would we face the same issue? For example, if a job is scheduled daily and no one logs in again for an extended period, will the job continue to run only until the refresh token expires?</FONT></P> <P data-end="2865" data-start="2568">&nbsp;</P> <P data-end="2950" data-start="2867"><FONT size="2">Any clarification or best practices around this setup would be greatly appreciated.&nbsp;</FONT><FONT size="2">Thanks in advance.</FONT></P> <P>&nbsp;</P> Fri, 01 May 2026 09:25:55 GMT https://communities.sas.com/t5/Administration-and-Deployment/SAS-Viya-gMSA-Scheduling-and-Refresh-Token-Behavior/m-p/987051#M30807 freshstarter 2026-05-01T09:25:55Z