Many of you have already been using Azure Active Directory (Azure AD) Conditional Access’s authentication sessions management capabilities in public preview. We’d like to thank all the customers who have tried the preview and provided us valuable feedback.
Today, I’m excited to announce this feature is now generally available!
Authentication session management capabilities allow you to configure how often your users need to provide sign-in credentials and whether they need to provide credentials after closing and reopening browsers—giving you fined-grained controls that can offer more security and flexibility in your environment.
Authentication session management used to only apply to the First Factor Authentication on Azure AD joined, Hybrid Azure AD joined, and Azure AD registered devices. There is no easy way for our customers to re-enforce Multiple Factor Authentication (MFA) on those devices at all. We have heard the feedback loud and clear. Since then, we have addressed the issue and now authentication session management will apply for MFA as well.
Authentication session management capabilities require Azure AD Premium P1 subscription. It can easily be configured from the Azure AD portal. First, sign in to Azure Portal with a global administrator account. Next, navigate to Azure AD Conditional Access and then access an existing policy or create a new policy, where you’ll see the Session under Access Control as shown below:
Configure sign-in frequency
Sign-in frequency defines the time period before a user is asked to sign in again when attempting to access a resource. You can set the value from 1 hour to 365 days.
Configure persistent browser session
This setting allows users to remain signed in after closing and reopening their browser window. We support two new settings: always persist or never persist. In both cases, you’ll make the decision on behalf of your users and they won’t see a “Stay signed in?” prompt.
Configuring how often your users need to provide credentials for sign-in and if their browser sessions will be persisted is a delicate balance between security and productivity. For most deployments, the Azure AD default configuration for authentication session already provides the necessary security while balancing a productive user experience. Please do consider whether changing the default configuration is necessary for your environment or not.
If you do have a real need to restrict authentication sessions targeting specific use cases within your organization, such as data accessed from unmanaged or shared devices, you should leverage all Conditional Access conditions so that you can now manage authentication session lifetime depending on sensitivity of a resource, user account privilege, authentication strength, device configuration, and locations.
As always, we're eager to hear from you! Please don’t hesitate to give us feedback on the Azure AD UserVoice forum or by leaving a comment below.
Stay safe and be well,
Alex Simons (@Alex_A_Simons) Corporate VP of Program Management Microsoft Identity Division