Conditional Access: Can someone please explain sign-in frequency and persistent browser session

Contributor

Good morning, afternoon and evening everyone.

 

So can someone please explain the difference between Sign-in Frequency and persistent browser session.

 

Do I need to use both? I can read that sign in frequency is what is says on the tin. as long as a user is active within the time set here and by default thats 90 days. the user should not be asked to sign in again.

 

Now introduce persistent browser session and you can set it to always or never. I understand it to if you set it to never. a persistent cookie in the browser is not generated so closing the browser and opening it up again would ask you to log in again. and the persistent session means you can close the window, you can restart the computer and you are not asked to sign in again.

 

That sounds like the sign-in frequency. what am i missing?

 

Please do explain in simple English terms :) I'm a little stupid it seems :D

7 Replies
I hope to be able to tell if i need both or just one of them and what is the effect on users if one or the other or both is set.
Think of the sign-in frequency as controlling the lifetime of the refresh token. Persistent session allows the browser to store the refresh token (which is usually kept in memory only), so it can be reused after you close/reopen all browser windows.

Refer to the documentation for more info: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-...
Hi Vasil,

Thank you for that article, that explains it quite well. the article gives an example that if you have your frequency sign-in set to 1 hour. and at 00:00 you log in to office.com and you sit and work for an hour. at 01:00 you will be asked to log in again as per the sign in frequency setting. makes total sense and i am good with that.

In regards to the persistent session if set to always, it will keep the browser session going even after the browser is closed or the computer rebooted.

If persistent session is set to never then as soon as you close the browser or reboot the computer you have to log in again is that correct? regardless of the sign-in frequency setting?

from the conditional access policy page on persistent session is says this:
------------------------------------------
A persistent browser session allows users to remain signed in after closing and reopening their browser window.

This setting works correctly when "All cloud apps" are selected
This does not affect token lifetimes or the sign-in frequency setting.
This will override the "Show option to stay signed in" policy in Company Branding.
"Never persistent" will override any persistent SSO claims passed in from federated authentication services.
"Never persistent" will prevent SSO on mobile devices across applications and between applications and the user's mobile browser.
--------------------------------------------
Sounds like the first note of it works with all cloud apps selected that it is an all or nothing? cant say for "App1, App2 & App4" do always persistent but for App3 never persistent.

it also says it does not affect the sign-in frequency setting. but i guess it does if its never persistent in the fact that once you close your browser you would have to sign in again once you re-open it?

We have 90 days set to sign-in frequency and persistent browsing set to always. I dont think this is a good setting as we have some devices that are shared and staff use these devices (ipads) to log in to our HR system and do things like sickness, holiday requests and check-in and check-out.

I am interested in for normal users to not always having to log in and do MFA. but I also want to ensure some critical apps like our HR system or a Password Vault system to really always ask for MFA.
Persistent session applies to "all apps" because the browser "shares" the cookie with all resources it applies to, you don't get a separate cookie per app/resource. It's not directly related to the sign-in frequency in the sense that it's a simple "on/off" switch, either there is a cookie after you reopen the browser or not. But it does have a validity too, so you cannot use it indefinitely, so in that sense it is also tied to the SIF window.
For shared devices, you'd probably want a separate policy.
Hi Vasil, How would you target specific shared devices in conditional access? Looks to me that it is user based? as in assigning CA policies to users.

Also do you know the answer to this question? https://techcommunity.microsoft.com/t5/azure-active-directory-identity/ca-template-securing-security...
There is a device condition, and they recently introduced filters for devices too.

Has anyone had both working together?

 

Running some tests this afternoon - Persistent Browser Session for all apps, with a 2 hour SIF. A separate policy for PowerApps with a 1 hour SIF. Once the one hour SIF is hit, all applications not just Powerapps require re-authentication in the browser. 

 

Great if they would work independently but not sure if this is currently a thing!