Manage authentication sessions in Azure AD conditional access is now in public preview!

This is a good step but how would this condition be satisfied:

We have several (not ALL) applications that we want to force MFA on every sign-in, including if they close and relaunch the browser (persistent cookie).

The risk here is someone logs in to the app, reviews what they need, and then closes the browser and walks away from their desk.  Someone else then sits down and opens the browser to the same web site and automatically gets in due to the persistent cookie.

We would not want to have to remove the token for every application and therefore force login/MFA for all apps every time.

Any way to handle this situation with the controls we have available?

@Tony Rogers, the default lifetime is until the session revoked with 90 days of inactivity window. 

Andrew Liggett, this affects refresh tokens and session cookies. User will need to re-authenticate, including redirection to the federated IDP.  

Gurdev Singh , I believe your questions have been covered in the public documentation for the feature. Please take a look. 

Mcsood, your points are correct

anubha23, if MFA is enabled user will be prompted for both factors. 

When these 2 features will be launched. My question is whether "User will be asked for MFA Authentication or Single Factor Sign IN with CA policy enabled for Sign in Frequency as 1hour. And MFA is enabled for this user."  

Thanks Alex. This is good news! A clarification/question on using Sign-ins Frequency in CA rules

• If I configure the new Conditional Access policy with Sign-In Frequency set to 30 days for devices connecting to Exchange Online from an external network, users would be required to perform an interactive login (user must type in Id/password) every 30 days. AND if MFA was required on the CA rule as condition, the user would also be MFA challenged every 30 days. Correct?
• The authentication and MFA challenge above would be scoped to EXO and therefore if a separate CA rule had the same Sign-in Frequency and MFA configuration but set for Sharepoint Online, user would be authenticating and MFA challenged on 2 separate cycles, one cycle for EXO and another for SPO
• If the above are accurate, then I believe 1 CA rule for all O365 clouds apps (EXO, SPO, Yammer etc) with the same Sign-in and MFA configurations would have the effect of creating 1 sign-in/MFA challenge cycle for all the apps in the policy. Correct?

could you please provide more clarity for following scenarios?

1. For federated users using ADFS, which settings apply. ADFS PSSO or conditional access sign-in frequency and persistence browser

2. What are the defaults PSSO & refresh token lifetimes. Is it 90 days or 180 days max inactive time with max age 'until-revoked'?

3. What happens to 'Stay signed in' dialog if conditional access settings are set to 'Persist' browser session. Does it still show up or is it up-to an administrator to hide this dialog box in company branding and simply use conditional access to either persist or not persist a browser session

Hi,

When we set the Sign-In Frequency what portion of the oauth flow are we changing?  

Is it the Access Token or Refresh Token length that is being altered? 

Using an federated identity provider will we be forcing the client back through that identity provider?

Thanks

Andy

what happen if the tenant does not have P1 license?

Awesome feature!

Deleted  I think the default session lifetime for persistent browser sessions will match the current default for Single sign-on session tokens with KMSI enabled. That is 180 days.

What is the default session lifetime if I set the "Persistent browser session" option to "Always persist"?

This is awesome. A more user-friendly way of managing token lifetimes!

Also, FYI, when I click on the "Click here to learn more" section of the "Persistent Browser session (Preview)", I brought to the Microsoft store page, not an article, well at least for me.