Home
%3CLINGO-SUB%20id%3D%22lingo-sub-509253%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20authentication%20sessions%20in%20Azure%20AD%20conditional%20access%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-509253%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20awesome.%20A%20more%20user-friendly%20way%20of%20managing%20token%20lifetimes!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20FYI%2C%20when%20I%20click%20on%20the%20%22Click%20here%20to%20learn%20more%22%20section%20of%20the%20%22Persistent%20Browser%20session%20(Preview)%22%2C%20I%20brought%20to%20the%20Microsoft%26nbsp%3Bstore%20page%2C%20not%20an%20article%2C%20well%20at%20least%20for%20me.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-510799%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20authentication%20sessions%20in%20Azure%20AD%20conditional%20access%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-510799%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20is%20the%20default%20session%20lifetime%20if%20I%20set%20the%20%22Persistent%20browser%20session%22%20option%26nbsp%3Bto%20%22Always%20persist%22%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-518391%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20authentication%20sessions%20in%20Azure%20AD%20conditional%20access%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-518391%22%20slang%3D%22en-US%22%3E%3CP%3EAwesome%20feature!%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F235398%22%20target%3D%22_blank%22%3E%40Tony%20Rogers%3C%2FA%3E%26nbsp%3B%20I%20think%20the%20default%20session%20lifetime%20for%20persistent%20browser%20sessions%20will%20match%20the%20current%20default%20for%20Single%20sign-on%20session%20tokens%20with%20KMSI%20enabled.%20That%20is%20180%20days.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-545855%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20authentication%20sessions%20in%20Azure%20AD%20conditional%20access%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-545855%22%20slang%3D%22en-US%22%3E%3CP%3Ewhat%20happen%20if%20the%20tenant%20does%20not%20have%20P1%20license%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-563451%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20authentication%20sessions%20in%20Azure%20AD%20conditional%20access%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-563451%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20we%20set%20the%20Sign-In%20Frequency%20what%20portion%20of%20the%20oauth%20flow%20are%20we%20changing%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20the%20Access%20Token%20or%20Refresh%20Token%20length%20that%20is%20being%20altered%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUsing%20an%20federated%20identity%20provider%20will%20we%20be%20forcing%20the%20client%20back%20through%20that%20identity%20provider%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAndy%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-500983%22%20slang%3D%22en-US%22%3EManage%20authentication%20sessions%20in%20Azure%20AD%20conditional%20access%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-500983%22%20slang%3D%22en-US%22%3E%3CP%3EHowdy%20folks%2C%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EI%E2%80%99m%20excited%20to%20announce%20public%20preview%20of%20authentication%20sessions%20management%20capabilities%20for%20%3CA%20href%3D%22https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3Flinkid%3D2083106%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20AD%20conditional%20access%3C%2FA%3E.%20Authentication%20session%20management%20capabilities%20allow%20you%20to%20configure%20how%20often%20your%20users%20need%20to%20provide%20sign-in%20credentials%20and%20whether%20they%20need%20to%20provide%20credentials%20after%20closing%20and%20reopening%20browsers%E2%80%94giving%20you%20fined-grained%20controls%20that%20can%20offer%20more%20security%20and%20flexibility%20in%20your%20environment.%20Authentication%20session%20management%20capabilities%20require%20Azure%20AD%20Premium%20P1%20subscription.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CFONT%20size%3D%224%22%3EGetting%20started%3C%2FFONT%3E%3CBR%20%2F%3ETo%20get%20started%2C%20set%20the%20sign-in%20frequency%2C%20which%20defines%20the%20time%20period%20before%20a%20user%20is%20asked%20to%20sign-in%20again%20when%20attempting%20to%20access%20a%20resource.%20You%20can%20set%20the%20value%20from%201%20hour%20to%20365%20days.%3CBR%20%2F%3EYou%20can%20also%20set%20a%20persistent%20browser%20session.%20This%20allows%20users%20to%20remain%20signed%20in%20after%20closing%20and%20reopening%20their%20browser%20window.%20We%20support%20two%20new%20settings%3A%20always%20persist%20or%20never%20persist.%20In%20both%20cases%2C%20you%E2%80%99ll%20make%20the%20decision%20on%20behalf%20of%20your%20users%20and%20they%20won%E2%80%99t%20see%20a%20%E2%80%9CStay%20signed%20in%3F%E2%80%9D%20prompt.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20614px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F110999i8235F32ABACBABCE%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Manage%20authentication%20sessions%20in%20Azure%20AD%20conditional%20access%201.png%22%20title%3D%22Manage%20authentication%20sessions%20in%20Azure%20AD%20conditional%20access%201.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%224%22%3EConfiguring%20authentication%20sessions%20for%20your%20environment%3C%2FFONT%3E%3CBR%20%2F%3EConfiguring%20how%20often%20your%20users%20need%20to%20provide%20credentials%20for%20sign-in%20and%20if%20their%20browser%20sessions%20will%20be%20persisted%20is%20a%20delicate%20balance%20between%20security%20and%20productivity.%20For%20most%20deployments%2C%20the%20Azure%20AD%20default%20configuration%20for%20authentication%20session%20already%20provides%20the%20necessary%20security%20while%20balancing%20a%20productive%20user%20experience.%20Asking%20users%20to%20frequently%20sign-in%20may%20not%20make%20sessions%20more%20secure%20and%20can%20hinder%20a%20productive%20user%20experience.%20So%20it%E2%80%99s%20important%20to%20consider%20if%20changing%20the%20default%20configuration%20is%20necessary%20for%20your%20environment.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EFor%20complex%20deployments%2C%20you%20might%20have%20a%20real%20need%20to%20restrict%20authentication%20sessions.%20Fine%20grained%20conditional%20access%20controls%20allow%20you%20to%20create%20policies%20that%20target%20specific%20use%20cases%20within%20your%20organization%20such%20as%20data%20access%20from%20unmanaged%20or%20shared%20devices%2C%20without%20affecting%20productivity%20of%20compliant%20users.%20With%20conditional%20access%20you%20can%20now%20adapt%20authentication%20session%20lifetime%20depending%20on%20sensitivity%20of%20a%20resource%2C%20user%20account%20privilege%2C%20authentication%20strength%2C%20device%20configuration%2C%20location%20and%20many%20other%20conditions.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EWe%E2%80%99re%20excited%20to%20provide%20these%20new%20enhancements%20to%20our%20customers%20and%20as%20always%2C%20we%E2%80%99d%20love%20to%20hear%20any%20feedback%20or%20suggestions%20you%20have.%20Let%20us%20know%20what%20you%20think%20in%20the%20comments%20below.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EBest%20regards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlex%20Simons%20(%40Alex_A_Simons)Corporate%20VP%20of%20Program%20ManagementMicrosoft%20Identity%20Division%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CEM%3E%3CSTRONG%3ENote%3A%3C%2FSTRONG%3E%20This%20feature%20replaces%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Factive-directory-configurable-token-lifetimes%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EConfigurable%20Token%20Lifetimes%3C%2FA%3E%20feature%20currently%20in%20public%20preview.%20If%20you%E2%80%99re%20using%20Configurable%20Token%20Lifetimes%2C%20please%20make%20plans%20to%20transition%20to%20conditional%20access%20for%20authentication%20sessions%20management.%20Configurable%20Token%20Lifetime%20will%20be%20retired%20six%20months%20from%20now%20on%20October%2015%2C%202019.%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-500983%22%20slang%3D%22en-US%22%3E%3CP%3EAuthentication%20sessions%20management%20capabilities%20allow%20you%20to%20configure%20how%20often%20users%20need%20to%20provide%20sign-in%20credentials.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20614px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F110998i7AA8F8725CC9F190%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Manage%20authentication%20sessions%20in%20Azure%20AD%20conditional%20access%201.png%22%20title%3D%22Manage%20authentication%20sessions%20in%20Azure%20AD%20conditional%20access%201.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-500983%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-621895%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20authentication%20sessions%20in%20Azure%20AD%20conditional%20access%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-621895%22%20slang%3D%22en-US%22%3E%3CP%3Ecould%20you%20please%20provide%20more%20clarity%20for%20following%20scenarios%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20For%20federated%20users%20using%20ADFS%2C%20which%20settings%20apply.%20ADFS%20PSSO%20or%20conditional%20access%20sign-in%20frequency%20and%20persistence%20browser%3C%2FP%3E%3CP%3E2.%20What%20are%20the%20defaults%20PSSO%20%26amp%3B%20refresh%20token%20lifetimes.%20Is%20it%2090%20days%20or%20180%20days%20max%20inactive%20time%20with%20max%20age%20'until-revoked'%3F%3C%2FP%3E%3CP%3E3.%20What%20happens%20to%20'Stay%20signed%20in'%20dialog%20if%20conditional%20access%20settings%20are%20set%20to%20'Persist'%20browser%20session.%20Does%20it%20still%20show%20up%20or%20is%20it%20up-to%20an%20administrator%20to%20hide%20this%20dialog%20box%20in%20company%20branding%20and%20simply%20use%20conditional%20access%20to%20either%20persist%20or%20not%20persist%20a%20browser%20session%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-638901%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20authentication%20sessions%20in%20Azure%20AD%20conditional%20access%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-638901%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Alex.%20This%20is%20good%20news!%20A%20clarification%2Fquestion%20on%20using%20Sign-ins%20Frequency%20in%20CA%20rules%3C%2FP%3E%3CUL%3E%3CLI%3EIf%20I%20configure%20the%20new%20Conditional%20Access%20policy%20with%20Sign-In%20Frequency%20set%20to%2030%20days%20for%20devices%20connecting%20to%20Exchange%20Online%20from%20an%20external%20network%2C%20users%20would%20be%20required%20to%20perform%20an%20interactive%20login%20(user%20must%20type%20in%20Id%2Fpassword)%20every%2030%20days.%20AND%20if%20MFA%20was%20required%20on%20the%20CA%20rule%20as%20condition%2C%20the%20user%20would%20also%20be%20MFA%20challenged%20every%2030%20days.%20Correct%3F%3C%2FLI%3E%3CUL%3E%3CLI%3EThe%20authentication%20and%20MFA%20challenge%20above%20would%20be%20scoped%20to%20EXO%20and%20therefore%20if%20a%20separate%20CA%20rule%20had%20the%20same%20Sign-in%20Frequency%20and%20MFA%20configuration%20but%20set%20for%20Sharepoint%20Online%2C%20user%20would%20be%20authenticating%20and%20MFA%20challenged%20on%202%20separate%20cycles%2C%20one%20cycle%20for%20EXO%20and%20another%20for%20SPO%3C%2FLI%3E%3C%2FUL%3E%3CLI%3EIf%20the%20above%20are%20accurate%2C%20then%20I%20believe%201%20CA%20rule%20for%20all%20O365%20clouds%20apps%20(EXO%2C%20SPO%2C%20Yammer%20etc)%20with%20the%20same%20Sign-in%20and%20MFA%20configurations%20would%20have%20the%20effect%20of%20creating%201%20sign-in%2FMFA%20challenge%20cycle%20for%20all%20the%20apps%20in%20the%20policy.%20Correct%3F%3C%2FLI%3E%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-719374%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20authentication%20sessions%20in%20Azure%20AD%20conditional%20access%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-719374%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20these%202%20features%20will%20be%20launched.%20My%20question%20is%20whether%20%22User%20will%20be%20asked%20for%20MFA%20Authentication%20or%20Single%20Factor%20Sign%20IN%26nbsp%3Bwith%20CA%20policy%20enabled%20for%20Sign%20in%20Frequency%20as%201hour.%20And%20MFA%20is%20enabled%20for%20this%20user.%22%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-753160%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20authentication%20sessions%20in%20Azure%20AD%20conditional%20access%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-753160%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F199790%22%20target%3D%22_blank%22%3E%40Tony%20Rogers%3C%2FA%3E%2C%20the%20default%20lifetime%20is%20until%20the%20session%20revoked%20with%2090%20days%20of%20inactivity%20window.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F82113%22%20target%3D%22_blank%22%3E%40Andrew%20Liggett%3C%2FA%3E%2C%20this%20affects%20refresh%20tokens%20and%20session%20cookies.%20User%20will%20need%20to%20re-authenticate%2C%20including%20redirection%20to%20the%20federated%20IDP.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F79705%22%20target%3D%22_blank%22%3E%40Gurdev%20Singh%3C%2FA%3E%26nbsp%3B%2C%20I%20believe%20your%20questions%20have%20been%20covered%20in%20the%20public%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fhowto-conditional-access-session-lifetime%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edocumentation%20for%20the%20feature%3C%2FA%3E.%20Please%20take%20a%20look.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102408%22%20target%3D%22_blank%22%3E%40Manoj%20Sood%3C%2FA%3E%2C%20your%20points%20are%20correct%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F344887%22%20target%3D%22_blank%22%3E%40anubha23%3C%2FA%3E%2C%20if%20MFA%20is%20enabled%20user%20will%20be%20prompted%20for%20both%20factors.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-882940%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20authentication%20sessions%20in%20Azure%20AD%20conditional%20access%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-882940%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20a%20good%20step%20but%20how%20would%20this%20condition%20be%20satisfied%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20several%20(not%20ALL)%20applications%20that%20we%20want%20to%20force%20MFA%20on%20every%20sign-in%2C%20including%20if%20they%20close%20and%20relaunch%20the%20browser%20(persistent%20cookie).%3C%2FP%3E%3CP%3EThe%20risk%20here%20is%20someone%20logs%20in%20to%20the%20app%2C%20reviews%20what%20they%20need%2C%20and%20then%20closes%20the%20browser%20and%20walks%20away%20from%20their%20desk.%26nbsp%3B%20Someone%20else%20then%20sits%20down%20and%20opens%20the%20browser%20to%20the%20same%20web%20site%20and%20automatically%20gets%20in%20due%20to%20the%20persistent%20cookie.%3C%2FP%3E%3CP%3EWe%20would%20not%20want%20to%20have%20to%20remove%20the%20token%20for%20every%20application%20and%20therefore%20force%20login%2FMFA%20for%20all%20apps%20every%20time.%3C%2FP%3E%3CP%3EAny%20way%20to%20handle%20this%20situation%20with%20the%20controls%20we%20have%20available%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1015334%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20authentication%20sessions%20in%20Azure%20AD%20conditional%20access%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1015334%22%20slang%3D%22en-US%22%3E%3CP%3Ewe%20have%20configured%20Sign%20in%20frequency%20in%20conditional%20access%20for%201%20hour%20%2C%20but%20the%20session%20timed%20out%20even%20it%20is%20active%20after%201%20hour.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20thought%20it%20will%20be%20timed%20out%20only%20if%20it%20is%20inactive.%20Please%20let%20us%20know%20your%20suggestions%3C%2FP%3E%3C%2FLINGO-BODY%3E

Howdy folks,


I’m excited to announce public preview of authentication sessions management capabilities for Azure AD conditional access. Authentication session management capabilities allow you to configure how often your users need to provide sign-in credentials and whether they need to provide credentials after closing and reopening browsers—giving you fined-grained controls that can offer more security and flexibility in your environment. Authentication session management capabilities require Azure AD Premium P1 subscription.


Getting started
To get started, set the sign-in frequency, which defines the time period before a user is asked to sign-in again when attempting to access a resource. You can set the value from 1 hour to 365 days.
You can also set a persistent browser session. This allows users to remain signed in after closing and reopening their browser window. We support two new settings: always persist or never persist. In both cases, you’ll make the decision on behalf of your users and they won’t see a “Stay signed in?” prompt.

 

Manage authentication sessions in Azure AD conditional access 1.png

 

Configuring authentication sessions for your environment
Configuring how often your users need to provide credentials for sign-in and if their browser sessions will be persisted is a delicate balance between security and productivity. For most deployments, the Azure AD default configuration for authentication session already provides the necessary security while balancing a productive user experience. Asking users to frequently sign-in may not make sessions more secure and can hinder a productive user experience. So it’s important to consider if changing the default configuration is necessary for your environment.


For complex deployments, you might have a real need to restrict authentication sessions. Fine grained conditional access controls allow you to create policies that target specific use cases within your organization such as data access from unmanaged or shared devices, without affecting productivity of compliant users. With conditional access you can now adapt authentication session lifetime depending on sensitivity of a resource, user account privilege, authentication strength, device configuration, location and many other conditions.


We’re excited to provide these new enhancements to our customers and as always, we’d love to hear any feedback or suggestions you have. Let us know what you think in the comments below.


Best regards,

 

Alex Simons (@Alex_A_Simons)
Corporate VP of Program Management
Microsoft Identity Division


Note: This feature replaces the Configurable Token Lifetimes feature currently in public preview. If you’re using Configurable Token Lifetimes, please make plans to transition to conditional access for authentication sessions management. Configurable Token Lifetime will be retired six months from now on October 15, 2019.

11 Comments
Senior Member

This is awesome. A more user-friendly way of managing token lifetimes!

 

Also, FYI, when I click on the "Click here to learn more" section of the "Persistent Browser session (Preview)", I brought to the Microsoft store page, not an article, well at least for me.

Deleted
Not applicable

What is the default session lifetime if I set the "Persistent browser session" option to "Always persist"?

Senior Member

Awesome feature!

@Deleted  I think the default session lifetime for persistent browser sessions will match the current default for Single sign-on session tokens with KMSI enabled. That is 180 days.

Occasional Visitor

what happen if the tenant does not have P1 license?

New Contributor

Hi,

 

When we set the Sign-In Frequency what portion of the oauth flow are we changing?  

 

Is it the Access Token or Refresh Token length that is being altered? 

 

Using an federated identity provider will we be forcing the client back through that identity provider?

 

Thanks

 

Andy

Contributor

could you please provide more clarity for following scenarios?

 

1. For federated users using ADFS, which settings apply. ADFS PSSO or conditional access sign-in frequency and persistence browser

2. What are the defaults PSSO & refresh token lifetimes. Is it 90 days or 180 days max inactive time with max age 'until-revoked'?

3. What happens to 'Stay signed in' dialog if conditional access settings are set to 'Persist' browser session. Does it still show up or is it up-to an administrator to hide this dialog box in company branding and simply use conditional access to either persist or not persist a browser session

Occasional Contributor

Thanks Alex. This is good news! A clarification/question on using Sign-ins Frequency in CA rules

  • If I configure the new Conditional Access policy with Sign-In Frequency set to 30 days for devices connecting to Exchange Online from an external network, users would be required to perform an interactive login (user must type in Id/password) every 30 days. AND if MFA was required on the CA rule as condition, the user would also be MFA challenged every 30 days. Correct?
    • The authentication and MFA challenge above would be scoped to EXO and therefore if a separate CA rule had the same Sign-in Frequency and MFA configuration but set for Sharepoint Online, user would be authenticating and MFA challenged on 2 separate cycles, one cycle for EXO and another for SPO
  • If the above are accurate, then I believe 1 CA rule for all O365 clouds apps (EXO, SPO, Yammer etc) with the same Sign-in and MFA configurations would have the effect of creating 1 sign-in/MFA challenge cycle for all the apps in the policy. Correct?
Microsoft

When these 2 features will be launched. My question is whether "User will be asked for MFA Authentication or Single Factor Sign IN with CA policy enabled for Sign in Frequency as 1hour. And MFA is enabled for this user."  

Occasional Visitor

@Tony Rogers, the default lifetime is until the session revoked with 90 days of inactivity window. 

 

@Andrew Liggett, this affects refresh tokens and session cookies. User will need to re-authenticate, including redirection to the federated IDP.  

@Gurdev Singh , I believe your questions have been covered in the public documentation for the feature. Please take a look. 

@Manoj Sood, your points are correct

@anubha23, if MFA is enabled user will be prompted for both factors. 

Senior Member

This is a good step but how would this condition be satisfied:

 

We have several (not ALL) applications that we want to force MFA on every sign-in, including if they close and relaunch the browser (persistent cookie).

The risk here is someone logs in to the app, reviews what they need, and then closes the browser and walks away from their desk.  Someone else then sits down and opens the browser to the same web site and automatically gets in due to the persistent cookie.

We would not want to have to remove the token for every application and therefore force login/MFA for all apps every time.

Any way to handle this situation with the controls we have available?

we have configured Sign in frequency in conditional access for 1 hour , but the session timed out even it is active after 1 hour. 

 

we thought it will be timed out only if it is inactive. Please let us know your suggestions