None Cached Browser(llogin) 100% of the time

Highlighted
Frequent Contributor

Hey Fellow Community Members, I have a question that I just cannot seem to find a good answer for. I have a customer that wants the user/pass to show up each time a user logs in. Sounds simple right....

What i mean by that is, I need it to not cache anything. I know you can set default ActivityBasedAuthenticationTimeoutInterval token to a lower setting, but I cannot figure out how to make it where it just expires once the browser closes.

The user can log into portal.office.com, click Mail, work, then close browser. When he goes back to portal.office.com, it just logs him in without asking for user/pass

Anyways, I am just looking for suggestions on how or what to do. We are testing around with some MFA settings and other parameters but I wanted to throw this out there to see what your great minds come up with.

Thanks in advanced for your help

12 Replies
Highlighted
Is the scenario a shared computer environment?
Highlighted

no, no shared computer

Highlighted
Then can I ask why it's needed if the computer isn't shared?
Highlighted

First, because its what the customer asked for

 

Second, i took a shared computer environment you were asking as in a terminal server environment

and its not part of that

 

Lets say the user logs into his account at a friends house, internet cafe, or anywhere else, and forgets to log out. If the browser cache's cookies, then anyone can login to the users account. We actually tested it here on a VM and even after 3 days, we were still able to log right back in , without putting in a password. The browser just logged right back into that users account.

 

We have a ticket open with Microsoft as we find this a big flaw. not sure if its part of MFA bug or what, but the customer was looking for a way to make it work. Now we know, if the customer clicks "log out" this wont happen, but we are looking for the times users forget to click Log out.

Highlighted
Also, to throw more fuel on the fire

If the user checks the box "keep me signed in" by mistake, that will basically make the local cache copy take precedence over any O365 times outs and basically will keep that user signed in indefinitely.

I know a lot of this has turned to the making sure the user does not do this, or making sure the user "Does this", but sometimes, users make mistakes, and it could be a costly one so we are just trying to come up with ideas on how we can fight it and not leave it up to the user
Highlighted

If your auto logging in you sure you aren't on a domain joined machine with SSO setup? Your experience is going to differ on machines not part of the domain. I'm my case this is how we are setup with the more recent SSO you get auto logged in. I know I saw some sessions around setting up policies to not allow saving etc. when your not on domain joined machines etc using conditional access but this might require Azure AD Premium licenses. If I get a chance here in a bit I'll try to dig up some info on that. 

Highlighted

Check out this video, it has some examples of Settings things like require MFA when outside the office, on unsupported devices etc. Even locks down remove browser devices from downloading content from SharePoint etc. and other things. It's pretty powerful stuff. But this should get you going. 

https://www.youtube.com/watch?v=1VN47TgdDGA

 

 

In this session, we show how you can secure access to Office 365, SaaS apps, and on-premises apps with an innovative approach designed for the modern world u...
Highlighted
No, we set up the test on a VM, plus we are the partner, not the customer
Highlighted
Highlighted

Speak of the devil, tweet just came in, this is what it was that I saw at ignite. Exactly what your looking for I think. https://techcommunity.microsoft.com/t5/SharePoint-Blog/Introducing-Idle-Session-Timeout-in-SharePoin...

 

 

Highlighted
Very Interesting. Thanks Chris
Highlighted

“and forgets to log out” then yes, this would be expected behaviour. 

 

Also so in your testing make sure that when you say they were able to login again afte three days, did you close the browser (and by that I mean all instances of the browser, tabs and all).

 

Ideally your users should always log out when they are finished, and even better is to use InPrivate or Incognito settings in the guest machine they are using. Then there is no issue as close the browser or log out and the cookies are removed.

 

For MFA with O365 (the free one built in) you can get an MFA prompt at each login, but if the user does not close browser or log out, the second attempt to login is not a new attempt but a continuation of the new session, and free MFA feature you will be prompted on all networks including trusted ones. With Conditional Access (part of Azure AD Premium) you can have limitations on where you can login, so you cannot login on untrusted machines or require MFA on untrusted networks, but if your users do not log out, all bets are off...