Azure Active Directory (Azure AD) Conditional Access is a policy-based system that provides automated access control decisions for accessing your cloud apps. For example Conditional Access policy session management in Azure Active Directory (Azure AD) allows you to control how frequently your users need to sign in to your applications.
Sometimes questions may come on how this mechanism works with Azure Active Directory (Azure AD) Single Sign-On (SSO) so that only specific configured applications are impacted.
My current understanding is described below.
When a user's authentication or Multi-Factor Authentication (MFA) session, as represented by the OIDC token, exceeds the time limit specified in the conditional access policy, it triggers a re-authentication request for the user's SSO session with Azure AD.
It's important to note that although this re-authenticates the user's overall SSO session with Azure AD, it doesn't affect the user's access to other applications. This is because each application possesses separate OIDC tokens, which remains valid and continues to provide access to the application. As a result, even after a re-authentication event, the user can still access other applications they were previously signed into without interruption.
As per Microsoft documentation Configure authentication session management - Microsoft Entra | Microsoft Learn
for example we configured Session Sign-in frequency to 1 hour for Microsoft Azure Management
Once 1 hour timeout expired in Azure portal browser session required re-authentication while office 365 continue operate un-interrupted.
Probably good to note Azure AD's sign-in frequency is different from and the inactivity timeout:
Sign-in frequency in Azure AD determines how often a user must reauthenticate, regardless of their activity level, which can be set to require reauthentication at regular time intervals or every time a user performs certain actions.
Inactivity timeout, on the other hand, is a security measure that automatically signs a user out or locks their session after a specified period of inactivity, reducing the risk of unauthorized access from unattended devices.
Difference can be illustrated by Microsoft documented scenarios below "Configure authentication session management - Microsoft Entra | Microsoft Learn"
Scenario 1 - User returns within cycle
· At 00:00, a user signs into their Windows 10 Azure AD joined device and starts work on a document stored on SharePoint Online.
· At 00:30, the user gets up and takes a break locking their device.
· At 00:45, the user returns from their break and unlocks the device.
· At 01:00, the user is prompted to sign in again based on the sign-in frequency requirement in the Conditional Access policy configured by their administrator, 1 hour after the initial sign-in.
Scenario 2 - User returns outside cycle
· At 00:00, a user signs into their Windows 10 Azure AD joined device and starts work on a document stored on SharePoint Online.
· At 00:30, the user gets up and takes a break locking their device.
· At 04:45, the user returns from their break and unlocks the device.
· At 05:45, the user is prompted to sign in again based on the sign-in frequency requirement in the Conditional Access policy configured by their administrator, 1 hour after the PRT was refreshed at 04:45 (over 4hrs after the initial sign-in at 00:00).
More details on AAD cookies also available Web browser cookies used in Azure Active Directory authentication - Microsoft Entra | Microsoft Learn
Comments