Howdy folks,

I’m excited to announce public preview of authentication sessions management capabilities for Azure AD conditional access. Authentication session management capabilities allow you to configure how often your users need to provide sign-in credentials and whether they need to provide credentials after closing and reopening browsers—giving you fined-grained controls that can offer more security and flexibility in your environment. Authentication session management capabilities require Azure AD Premium P1 subscription.

Getting started
To get started, set the sign-in frequency, which defines the time period before a user is asked to sign-in again when attempting to access a resource. You can set the value from 1 hour to 365 days.
You can also set a persistent browser session. This allows users to remain signed in after closing and reopening their browser window. We support two new settings: always persist or never persist. In both cases, you’ll make the decision on behalf of your users and they won’t see a “Stay signed in?” prompt.


Manage authentication sessions in Azure AD conditional access 1.png


Configuring authentication sessions for your environment
Configuring how often your users need to provide credentials for sign-in and if their browser sessions will be persisted is a delicate balance between security and productivity. For most deployments, the Azure AD default configuration for authentication session already provides the necessary security while balancing a productive user experience. Asking users to frequently sign-in may not make sessions more secure and can hinder a productive user experience. So it’s important to consider if changing the default configuration is necessary for your environment.

For complex deployments, you might have a real need to restrict authentication sessions. Fine grained conditional access controls allow you to create policies that target specific use cases within your organization such as data access from unmanaged or shared devices, without affecting productivity of compliant users. With conditional access you can now adapt authentication session lifetime depending on sensitivity of a resource, user account privilege, authentication strength, device configuration, location and many other conditions.

We’re excited to provide these new enhancements to our customers and as always, we’d love to hear any feedback or suggestions you have. Let us know what you think in the comments below.

Best regards,


Alex Simons (@Alex_A_Simons)
Corporate VP of Program Management
Microsoft Identity Division

Note: This feature replaces the Configurable Token Lifetimes feature currently in public preview. If you’re using Configurable Token Lifetimes, please make plans to transition to conditional access for authentication sessions management. Configurable Token Lifetime will be retired six months from now on October 15, 2019.

Senior Member

This is awesome. A more user-friendly way of managing token lifetimes!


Also, FYI, when I click on the "Click here to learn more" section of the "Persistent Browser session (Preview)", I brought to the Microsoft store page, not an article, well at least for me.


What is the default session lifetime if I set the "Persistent browser session" option to "Always persist"?

Senior Member

Awesome feature!

@Tony Rogers  I think the default session lifetime for persistent browser sessions will match the current default for Single sign-on session tokens with KMSI enabled. That is 180 days.

Occasional Visitor

what happen if the tenant does not have P1 license?



When we set the Sign-In Frequency what portion of the oauth flow are we changing?  


Is it the Access Token or Refresh Token length that is being altered? 


Using an federated identity provider will we be forcing the client back through that identity provider?