Forum Discussion
Conditional Access: Can someone please explain sign-in frequency and persistent browser session
Good morning, afternoon and evening everyone. So can someone please explain the difference between Sign-in Frequency and persistent browser session. Do I need to use both? I can read that sig...
I hope to be able to tell if i need both or just one of them and what is the effect on users if one or the other or both is set.
Think of the sign-in frequency as controlling the lifetime of the refresh token. Persistent session allows the browser to store the refresh token (which is usually kept in memory only), so it can be reused after you close/reopen all browser windows.
Refer to the documentation for more info: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime
Refer to the documentation for more info: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime
- Hi Vasil,
Thank you for that article, that explains it quite well. the article gives an example that if you have your frequency sign-in set to 1 hour. and at 00:00 you log in to office.com and you sit and work for an hour. at 01:00 you will be asked to log in again as per the sign in frequency setting. makes total sense and i am good with that.
In regards to the persistent session if set to always, it will keep the browser session going even after the browser is closed or the computer rebooted.
If persistent session is set to never then as soon as you close the browser or reboot the computer you have to log in again is that correct? regardless of the sign-in frequency setting?
from the conditional access policy page on persistent session is says this:
------------------------------------------
A persistent browser session allows users to remain signed in after closing and reopening their browser window.
This setting works correctly when "All cloud apps" are selected
This does not affect token lifetimes or the sign-in frequency setting.
This will override the "Show option to stay signed in" policy in Company Branding.
"Never persistent" will override any persistent SSO claims passed in from federated authentication services.
"Never persistent" will prevent SSO on mobile devices across applications and between applications and the user's mobile browser.
--------------------------------------------
Sounds like the first note of it works with all cloud apps selected that it is an all or nothing? cant say for "App1, App2 & App4" do always persistent but for App3 never persistent.
it also says it does not affect the sign-in frequency setting. but i guess it does if its never persistent in the fact that once you close your browser you would have to sign in again once you re-open it?
We have 90 days set to sign-in frequency and persistent browsing set to always. I dont think this is a good setting as we have some devices that are shared and staff use these devices (ipads) to log in to our HR system and do things like sickness, holiday requests and check-in and check-out.
I am interested in for normal users to not always having to log in and do MFA. but I also want to ensure some critical apps like our HR system or a Password Vault system to really always ask for MFA.- Persistent session applies to "all apps" because the browser "shares" the cookie with all resources it applies to, you don't get a separate cookie per app/resource. It's not directly related to the sign-in frequency in the sense that it's a simple "on/off" switch, either there is a cookie after you reopen the browser or not. But it does have a validity too, so you cannot use it indefinitely, so in that sense it is also tied to the SIF window.
For shared devices, you'd probably want a separate policy.Has anyone had both working together?
Running some tests this afternoon - Persistent Browser Session for all apps, with a 2 hour SIF. A separate policy for PowerApps with a 1 hour SIF. Once the one hour SIF is hit, all applications not just Powerapps require re-authentication in the browser.
Great if they would work independently but not sure if this is currently a thing!
