Oct 20 2017 10:32 PM
Hey Fellow Community Members, I have a question that I just cannot seem to find a good answer for. I have a customer that wants the user/pass to show up each time a user logs in. Sounds simple right....
What i mean by that is, I need it to not cache anything. I know you can set default ActivityBasedAuthenticationTimeoutInterval token to a lower setting, but I cannot figure out how to make it where it just expires once the browser closes.
The user can log into portal.office.com, click Mail, work, then close browser. When he goes back to portal.office.com, it just logs him in without asking for user/pass
Anyways, I am just looking for suggestions on how or what to do. We are testing around with some MFA settings and other parameters but I wanted to throw this out there to see what your great minds come up with.
Thanks in advanced for your help
Oct 21 2017 01:32 AM
Oct 23 2017 02:28 PM
Oct 24 2017 10:04 AM
First, because its what the customer asked for
Second, i took a shared computer environment you were asking as in a terminal server environment
and its not part of that
Lets say the user logs into his account at a friends house, internet cafe, or anywhere else, and forgets to log out. If the browser cache's cookies, then anyone can login to the users account. We actually tested it here on a VM and even after 3 days, we were still able to log right back in , without putting in a password. The browser just logged right back into that users account.
We have a ticket open with Microsoft as we find this a big flaw. not sure if its part of MFA bug or what, but the customer was looking for a way to make it work. Now we know, if the customer clicks "log out" this wont happen, but we are looking for the times users forget to click Log out.
Oct 24 2017 10:13 AM
Oct 24 2017 10:39 AM
If your auto logging in you sure you aren't on a domain joined machine with SSO setup? Your experience is going to differ on machines not part of the domain. I'm my case this is how we are setup with the more recent SSO you get auto logged in. I know I saw some sessions around setting up policies to not allow saving etc. when your not on domain joined machines etc using conditional access but this might require Azure AD Premium licenses. If I get a chance here in a bit I'll try to dig up some info on that.
Oct 24 2017 10:47 AM
Check out this video, it has some examples of Settings things like require MFA when outside the office, on unsupported devices etc. Even locks down remove browser devices from downloading content from SharePoint etc. and other things. It's pretty powerful stuff. But this should get you going.
https://www.youtube.com/watch?v=1VN47TgdDGA
Oct 24 2017 12:01 PM
Oct 24 2017 12:59 PM
Speak of the devil, tweet just came in, this is what it was that I saw at ignite. Exactly what your looking for I think. https://techcommunity.microsoft.com/t5/SharePoint-Blog/Introducing-Idle-Session-Timeout-in-SharePoin...
Oct 24 2017 01:01 PM
Nov 04 2017 04:31 AM
“and forgets to log out” then yes, this would be expected behaviour.
Also so in your testing make sure that when you say they were able to login again afte three days, did you close the browser (and by that I mean all instances of the browser, tabs and all).
Ideally your users should always log out when they are finished, and even better is to use InPrivate or Incognito settings in the guest machine they are using. Then there is no issue as close the browser or log out and the cookies are removed.
For MFA with O365 (the free one built in) you can get an MFA prompt at each login, but if the user does not close browser or log out, the second attempt to login is not a new attempt but a continuation of the new session, and free MFA feature you will be prompted on all networks including trusted ones. With Conditional Access (part of Azure AD Premium) you can have limitations on where you can login, so you cannot login on untrusted machines or require MFA on untrusted networks, but if your users do not log out, all bets are off...