O365 MFA, SSO, Token Lifetimes

%3CLINGO-SUB%20id%3D%22lingo-sub-1598561%22%20slang%3D%22en-US%22%3EO365%20MFA%2C%20SSO%2C%20Token%20Lifetimes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1598561%22%20slang%3D%22en-US%22%3EHi%20All%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThought%20I%20would%20ask%20the%20question%20here%20about%20the%20various%20methods%20and%20to%20confirm%20token%20lifetimes.%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20just%20the%20background%2C%20earlier%20this%20year%20we%20had%20enabled%20per%20user%20MFA%3CBR%20%2F%3EOffice%20Admin%20center%20-%26amp%3Bgt%3B%20Users%20-%26amp%3Bgt%3B%20Multifactor%20Authentication%20a%20long%20with%20Trusted%20IPs%2C%20app%20passwords%20disabled%20and%20have%20not%20enabled%20the%20option%20Allow%20users%20to%20remember%20multi-factor%20authentication%20on%20devices%20they%20trust.%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20method%20was%20always%20meant%20to%20be%20temporary%20as%20we%20are%20working%20towards%20moving%20over%20to%20CA%20policies.%3CBR%20%2F%3E%3CBR%20%2F%3ERecently%20have%20seen%20a%20few%20things.%3CBR%20%2F%3E%3CBR%20%2F%3EWith%20applications%20that%20support%20seamless%20SSO%20and%20OpenID%20connect%2C%20have%20realised%20that%20the%20token%20won't%20be%20kept%20active%20for%20longer%20than%20when%20the%20browser%20is%20closed%20as%20long%20as%20the%20Keep%20me%20signed%20in%20option%20does%20not%20show%20unless%20in%20safe%20browsing%20mode.%3CBR%20%2F%3E%3CBR%20%2F%3EAlong%20with%20that%20our%20remote%20workers%20which%20connect%20via%20Direct%20Access%20via%20a%20split%20tunnel%20with%20a%20pac%20file%20that%20dictates%20the%20connections%20to%20remote%20services%20i.e.%20user%20is%20coming%20from%20Trusted%20IP%20as%20the%20MS%20services%20are%20set%20to%20go%20directly%20out%2C%20so%20they%20are%20prompted%20for%202FA%20also.%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20with%20the%20current%20setup%20how%20can%20we%20increase%20the%20request%20token%20for%20those%20instances%2C%20so%20ideally%20the%20user%20isn't%20having%20to%20OAuth%20every%208-12%20hours%20or%20when%20closing%20and%20opening%20the%20browser.%3CBR%20%2F%3E%3CBR%20%2F%3EAny%20feedback%20will%20be%20great%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1598561%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1600904%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20MFA%2C%20SSO%2C%20Token%20Lifetimes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1600904%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F597543%22%20target%3D%22_blank%22%3E%40vas_ppabp_90%3C%2FA%3E%26nbsp%3BHey%2C%20trying%20to%20understand%20but%20it's%20difficult%20sometimes!%20I%20just%20gonna%20link%20to%20these%20two%20pages%20and%20hopefully%20guide%20you%20in%20the%20right%20direction.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EConfigurable%20token%20lifetimes%20in%20Microsoft%20identity%20platform%20(Preview)%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Factive-directory-configurable-token-lifetimes%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Factive-directory-configurable-token-lifetimes%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOr%20if%20going%20towards%20CA%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EConfigure%20authentication%20session%20management%20with%20Conditional%20Access%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Factive-directory-configurable-token-lifetimes%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Factive-directory-configurable-token-lifetimes%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1600965%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20MFA%2C%20SSO%2C%20Token%20Lifetimes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1600965%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F551905%22%20target%3D%22_blank%22%3E%40bec064%3C%2FA%3E%26nbsp%3Bit%20sure%20is!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHad%20come%20across%20these%20in%20my%20travels%20and%20put%20something%20in%20place%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor
Hi All,

Thought I would ask the question here about the various methods and to confirm token lifetimes.

So just the background, earlier this year we had enabled per user MFA
Office Admin center -> Users -> Multifactor Authentication a long with Trusted IPs, app passwords disabled and have not enabled the option Allow users to remember multi-factor authentication on devices they trust.

This method was always meant to be temporary as we are working towards moving over to CA policies.

Recently have seen a few things.

With applications that support seamless SSO and OpenID connect, have realised that the token won't be kept active for longer than when the browser is closed as long as the Keep me signed in option does not show unless in safe browsing mode.

Along with that our remote workers which connect via Direct Access via a split tunnel with a pac file that dictates the connections to remote services i.e. user is coming from Trusted IP as the MS services are set to go directly out, so they are prompted for 2FA also.

So with the current setup how can we increase the request token for those instances, so ideally the user isn't having to OAuth every 8-12 hours or when closing and opening the browser.

Any feedback will be great
2 Replies
Highlighted

@vas_ppabp_90 Hey, trying to understand but it's difficult sometimes! I just gonna link to these two pages and hopefully guide you in the right direction.

 

Configurable token lifetimes in Microsoft identity platform (Preview)

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-...

 

Or if going towards CA

 

Configure authentication session management with Conditional Access

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-...

Highlighted

@bec064 it sure is!

 

Had come across these in my travels and put something in place