cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Manage authentication sessions in Azure AD conditional access is now in public preview!
By
Alex Simons (AZURE)
Published May 01 2019 09:00 AM 43.7K Views
Alex Simons (AZURE)
Microsoft
‎May 01 2019 09:00 AM

Manage authentication sessions in Azure AD conditional access is now in public preview!

‎May 01 2019 09:00 AM

Howdy folks,


I’m excited to announce public preview of authentication sessions management capabilities for Azure AD conditional access. Authentication session management capabilities allow you to configure how often your users need to provide sign-in credentials and whether they need to provide credentials after closing and reopening browsers—giving you fined-grained controls that can offer more security and flexibility in your environment. Authentication session management capabilities require Azure AD Premium P1 subscription.


Getting started
To get started, set the sign-in frequency, which defines the time period before a user is asked to sign-in again when attempting to access a resource. You can set the value from 1 hour to 365 days.
You can also set a persistent browser session. This allows users to remain signed in after closing and reopening their browser window. We support two new settings: always persist or never persist. In both cases, you’ll make the decision on behalf of your users and they won’t see a “Stay signed in?” prompt.

 

Manage authentication sessions in Azure AD conditional access 1.png

 

Configuring authentication sessions for your environment
Configuring how often your users need to provide credentials for sign-in and if their browser sessions will be persisted is a delicate balance between security and productivity. For most deployments, the Azure AD default configuration for authentication session already provides the necessary security while balancing a productive user experience. Asking users to frequently sign-in may not make sessions more secure and can hinder a productive user experience. So it’s important to consider if changing the default configuration is necessary for your environment.


For complex deployments, you might have a real need to restrict authentication sessions. Fine grained conditional access controls allow you to create policies that target specific use cases within your organization such as data access from unmanaged or shared devices, without affecting productivity of compliant users. With conditional access you can now adapt authentication session lifetime depending on sensitivity of a resource, user account privilege, authentication strength, device configuration, location and many other conditions.


We’re excited to provide these new enhancements to our customers and as always, we’d love to hear any feedback or suggestions you have. Let us know what you think in the comments below.


Best regards,

 

Alex Simons (@Alex_A_Simons)
Corporate VP of Program Management
Microsoft Identity Division


Note: This feature replaces the Configurable Token Lifetimes feature currently in public preview. If you’re using Configurable Token Lifetimes, please make plans to transition to conditional access for authentication sessions management. Configurable Token Lifetime will be retired six months from now on October 15, 2019.

20 Comments
srobin1
Brass Contributor
‎May 01 2019 01:25 PM
‎May 01 2019 01:25 PM

This is awesome. A more user-friendly way of managing token lifetimes!

 

Also, FYI, when I click on the "Click here to learn more" section of the "Persistent Browser session (Preview)", I brought to the Microsoft store page, not an article, well at least for me.

0 Likes
Like
Deleted
Not applicable
‎May 02 2019 12:12 AM
‎May 02 2019 12:12 AM

What is the default session lifetime if I set the "Persistent browser session" option to "Always persist"?

0 Likes
Like
Jörg Bolten
Copper Contributor
‎May 02 2019 12:03 PM
‎May 02 2019 12:03 PM

Awesome feature!

@Deleted  I think the default session lifetime for persistent browser sessions will match the current default for Single sign-on session tokens with KMSI enabled. That is 180 days.

0 Likes
Like
sachintechie
Copper Contributor
‎May 08 2019 03:08 AM
‎May 08 2019 03:08 AM

what happen if the tenant does not have P1 license?

0 Likes
Like
Andrew Liggett
Copper Contributor
‎May 13 2019 06:45 AM
‎May 13 2019 06:45 AM

Hi,

 

When we set the Sign-In Frequency what portion of the oauth flow are we changing?  

 

Is it the Access Token or Refresh Token length that is being altered? 

 

Using an federated identity provider will we be forcing the client back through that identity provider?

 

Thanks

 

Andy

0 Likes
Like
Gurdev Singh
Iron Contributor
‎May 20 2019 10:15 PM
‎May 20 2019 10:15 PM

could you please provide more clarity for following scenarios?

 

1. For federated users using ADFS, which settings apply. ADFS PSSO or conditional access sign-in frequency and persistence browser

2. What are the defaults PSSO & refresh token lifetimes. Is it 90 days or 180 days max inactive time with max age 'until-revoked'?

3. What happens to 'Stay signed in' dialog if conditional access settings are set to 'Persist' browser session. Does it still show up or is it up-to an administrator to hide this dialog box in company branding and simply use conditional access to either persist or not persist a browser session

0 Likes
Like
Manoj Sood
Brass Contributor
‎May 23 2019 12:06 PM
‎May 23 2019 12:06 PM

Thanks Alex. This is good news! A clarification/question on using Sign-ins Frequency in CA rules

  • If I configure the new Conditional Access policy with Sign-In Frequency set to 30 days for devices connecting to Exchange Online from an external network, users would be required to perform an interactive login (user must type in Id/password) every 30 days. AND if MFA was required on the CA rule as condition, the user would also be MFA challenged every 30 days. Correct?
    • The authentication and MFA challenge above would be scoped to EXO and therefore if a separate CA rule had the same Sign-in Frequency and MFA configuration but set for Sharepoint Online, user would be authenticating and MFA challenged on 2 separate cycles, one cycle for EXO and another for SPO
  • If the above are accurate, then I believe 1 CA rule for all O365 clouds apps (EXO, SPO, Yammer etc) with the same Sign-in and MFA configurations would have the effect of creating 1 sign-in/MFA challenge cycle for all the apps in the policy. Correct?
anubha23
Microsoft
‎Jun 25 2019 03:33 AM
‎Jun 25 2019 03:33 AM

When these 2 features will be launched. My question is whether "User will be asked for MFA Authentication or Single Factor Sign IN with CA policy enabled for Sign in Frequency as 1hour. And MFA is enabled for this user."  

0 Likes
Like
annabarh
Microsoft
‎Jul 12 2019 04:31 PM
‎Jul 12 2019 04:31 PM

@Tony Rogers, the default lifetime is until the session revoked with 90 days of inactivity window. 

 

@Andrew Liggett, this affects refresh tokens and session cookies. User will need to re-authenticate, including redirection to the federated IDP.  

@Gurdev Singh , I believe your questions have been covered in the public documentation for the feature. Please take a look. 

@Manoj Sood, your points are correct

@anubha23, if MFA is enabled user will be prompted for both factors. 

0 Likes
Like
Mark Simone
Brass Contributor
‎Sep 30 2019 09:36 AM
‎Sep 30 2019 09:36 AM

This is a good step but how would this condition be satisfied:

 

We have several (not ALL) applications that we want to force MFA on every sign-in, including if they close and relaunch the browser (persistent cookie).

The risk here is someone logs in to the app, reviews what they need, and then closes the browser and walks away from their desk.  Someone else then sits down and opens the browser to the same web site and automatically gets in due to the persistent cookie.

We would not want to have to remove the token for every application and therefore force login/MFA for all apps every time.

Any way to handle this situation with the controls we have available?

0 Likes
Like
Sankarasubramanian Parameswaran
Iron Contributor
‎Nov 18 2019 10:24 AM
‎Nov 18 2019 10:24 AM

we have configured Sign in frequency in conditional access for 1 hour , but the session timed out even it is active after 1 hour. 

 

we thought it will be timed out only if it is inactive. Please let us know your suggestions

swhitestrath
Brass Contributor
‎Jan 30 2020 07:19 AM
‎Jan 30 2020 07:19 AM

@Sankarasubramanian Parameswaran "The default setting is a rolling window of 90 days, i.e. users will be asked to re-authenticate on the first attempt to access a resource after being inactive on their machine for 90 days or longer". I think the inactive period is only for the default of 90 Days. If you set this value the user is signed out regardless of inactivity. Some clarity would be good on this though. 

0 Likes
Like
techrambler
Copper Contributor
‎Feb 25 2020 04:43 AM
‎Feb 25 2020 04:43 AM

I no longer see the "Sign-in frequency" and "Persistent browser session" settings in portal.

I had a trial policy set up and that one seems to still exist.

 

Any changes made regarding this?

dlongpre
Copper Contributor
‎Feb 25 2020 11:46 AM
‎Feb 25 2020 11:46 AM

Same here, I no longer see the "Sign-in frequency" ... Is it a bug ?

 

Any changes ? 

0 Likes
Like
techrambler
Copper Contributor
‎Feb 25 2020 10:49 PM
‎Feb 25 2020 10:49 PM

I guess it was a "bug", today they are back again. 

0 Likes
Like
dlongpre
Copper Contributor
‎Feb 26 2020 07:14 AM
‎Feb 26 2020 07:14 AM

Exact ! That came back to normal late last night. I notice that  Sign-in option frequency is no more "preview" ... 

 

dlongpre_0-1582730071420.png

 

0 Likes
Like
kwilcox93
Copper Contributor
‎Mar 04 2020 07:44 PM
‎Mar 04 2020 07:44 PM

I recently used conditional access to enforce MFA. I set Sign-in frequency to 30 days and I set persistent browser session to always persistent.

 

However my Microsoft Flow / Power Automate flows are now failing because I am not authenticated. I tried to exclude Flow in the conditional access settings, but it gave me an error that said "Invalid session control."

 

This post talks about the tokens: https://support.microsoft.com/en-us/help/4467879/conditional-access-and-multi-factor-authentication-...

 

Should I be following that post or doing something else?

NAlexN
Copper Contributor
‎Mar 12 2020 02:41 AM
‎Mar 12 2020 02:41 AM

Hi, 

 

this is wonderful. I have a question regarding the policy execution.

 

If we set policy

AllowUser|EXO+EnterpriseApp|Windows|Browser|RequireHybrid

and I create another

AllowUser|AllApps|Grant(without any additional requirement)|PersistentBrowser:Never ,

 

it somehow lets us to our Ent. application without MFA and Hybrid. Can you explain why. Shouldn't all info from CAs be collected and users should be asked to satisfy additional requirements - which is MFA and Hybrid, and nevertheless browser session policy should be applied?

 

Can you tell us if this setting could soon be available per app basis and not global?

 

Thank you once again for your post and best regards

0 Likes
Like
Frederick_Po
Copper Contributor
‎Apr 29 2020 06:11 AM
‎Apr 29 2020 06:11 AM

@kwilcox93  the persistent browser session control works only if you select all cloud apps if you try to exclude an application you will get invalid session control. 

uzhxhqyd39
Brass Contributor
‎Sep 01 2020 02:23 AM
‎Sep 01 2020 02:23 AM

we have exactly the same situation as @kwilcox93 .

 

Is there a supported way to have MFA enabled for a user and using it in Power Automate Flows and Logic Apps?

e..g securing a service account with MFA but still use full functionality (and no re-signin topics) in Flow and Logic Apps?

0 Likes
Like
Version history
Last update:
‎Jul 24 2020 01:37 AM
Updated by: