top of page

WELCOME TO CLOUD MATTER

Search
Writer's pictureRoman Guoussev-Donskoi

Session management with AAD Conditional Access

Azure Active Directory (Azure AD) Conditional Access is a policy-based system that provides automated access control decisions for accessing your cloud apps. For example Conditional Access policy session management in Azure Active Directory (Azure AD) allows you to control how frequently your users need to sign in to your applications.


Sometimes questions may come on how this mechanism works with Azure Active Directory (Azure AD) Single Sign-On (SSO) so that only specific configured applications are impacted.


My current understanding is described below.

When a user's authentication or Multi-Factor Authentication (MFA) session, as represented by the OIDC token, exceeds the time limit specified in the conditional access policy, it triggers a re-authentication request for the user's SSO session with Azure AD.


It's important to note that although this re-authenticates the user's overall SSO session with Azure AD, it doesn't affect the user's access to other applications. This is because each application possesses separate OIDC tokens, which remains valid and continues to provide access to the application. As a result, even after a re-authentication event, the user can still access other applications they were previously signed into without interruption.



for example we configured Session Sign-in frequency to 1 hour for Microsoft Azure Management







Once 1 hour timeout expired in Azure portal browser session required re-authentication while office 365 continue operate un-interrupted.








Probably good to note Azure AD's sign-in frequency is different from and the inactivity timeout:

  • Sign-in frequency in Azure AD determines how often a user must reauthenticate, regardless of their activity level, which can be set to require reauthentication at regular time intervals or every time a user performs certain actions.

  • Inactivity timeout, on the other hand, is a security measure that automatically signs a user out or locks their session after a specified period of inactivity, reducing the risk of unauthorized access from unattended devices.

Difference can be illustrated by Microsoft documented scenarios below "Configure authentication session management - Microsoft Entra | Microsoft Learn"


Scenario 1 - User returns within cycle

· At 00:00, a user signs into their Windows 10 Azure AD joined device and starts work on a document stored on SharePoint Online.

· At 00:30, the user gets up and takes a break locking their device.

· At 00:45, the user returns from their break and unlocks the device.

· At 01:00, the user is prompted to sign in again based on the sign-in frequency requirement in the Conditional Access policy configured by their administrator, 1 hour after the initial sign-in.

Scenario 2 - User returns outside cycle

· At 00:00, a user signs into their Windows 10 Azure AD joined device and starts work on a document stored on SharePoint Online.

· At 00:30, the user gets up and takes a break locking their device.

· At 04:45, the user returns from their break and unlocks the device.

· At 05:45, the user is prompted to sign in again based on the sign-in frequency requirement in the Conditional Access policy configured by their administrator, 1 hour after the PRT was refreshed at 04:45 (over 4hrs after the initial sign-in at 00:00).


1,527 views0 comments

Recent Posts

See All

RAG processing at scale

Summary Application of generative AI has become more diverse. Ubiquitous chatbot RAG pattern is complemented by other scenarios. One of...

Comments


Home: Blog2

Subscribe

Home: GetSubscribers_Widget

CONTACT

Your details were sent successfully!

Computers
Home: Contact
bottom of page