Configure authentication session direction with Provisional Access

  • Article
  • half-dozen minutes to read

In complex deployments, organizations might accept a need to restrict hallmark sessions. Some scenarios might include:

  • Resource admission from an unmanaged or shared device
  • Access to sensitive information from an external network
  • High impact users
  • Disquisitional business concern applications

Conditional Access controls let you to create policies that target specific utilize cases within your organization without affecting all users.

Earlier diving into details on how to configure the policy, let'south examine the default configuration.

User sign-in frequency

Sign-in frequency defines the time menses earlier a user is asked to sign in once more when attempting to admission a resource.

The Azure Active Directory (Azure Advertisement) default configuration for user sign-in frequency is a rolling window of 90 days. Asking users for credentials often seems like a sensible thing to practice, only it can backfire: users that are trained to enter their credentials without thinking tin can unintentionally supply them to a malicious credential prompt.

Information technology might sound alarming to non ask for a user to sign back in, in reality any violation of IT policies will revoke the session. Some examples include (but are not limited to) a password change, an incompliant device, or business relationship disable. You tin too explicitly revoke users' sessions using PowerShell. The Azure Advertizing default configuration comes downwards to "don't ask users to provide their credentials if security posture of their sessions has non inverse".

The sign-in frequency setting works with apps that have implemented OAUTH2 or OIDC protocols co-ordinate to the standards. Most Microsoft native apps for Windows, Mac, and Mobile including the following spider web applications comply with the setting.

  • Word, Excel, PowerPoint Online
  • OneNote Online
  • Role.com
  • Microsoft 365 Admin portal
  • Exchange Online
  • SharePoint and OneDrive
  • Teams web client
  • Dynamics CRM Online
  • Azure portal

The sign-in frequency setting works with SAML applications as well, as long every bit they do not drib their own cookies and are redirected dorsum to Azure Advert for authentication on regular basis.

User sign-in frequency and multi-factor hallmark

Sign-in frequency previously applied to only to the offset factor authentication on devices that were Azure Advertisement joined, Hybrid Azure AD joined, and Azure AD registered. There was no easy manner for our customers to re-enforce multi factor hallmark (MFA) on those devices. Based on customer feedback, sign-in frequency will apply for MFA as well.

Sign in frequency and MFA

User sign-in frequency and device identities

If you take Azure Advertizement joined, hybrid Azure AD joined, or Azure Ad registered devices, when a user unlocks their device or signs in interactively, this event will satisfy the sign-in frequency policy as well. In the post-obit two examples user sign-in frequency is fix to 1 hour:

Example 1:

  • At 00:00, a user signs in to their Windows x Azure AD joined device and starts work on a document stored on SharePoint Online.
  • The user continues working on the same document on their device for an 60 minutes.
  • At 01:00, the user is prompted to sign in again based on the sign-in frequency requirement in the Conditional Access policy configured by their ambassador.

Example two:

  • At 00:00, a user signs in to their Windows x Azure Advertising joined device and starts work on a document stored on SharePoint Online.
  • At 00:xxx, the user gets upwards and takes a pause locking their device.
  • At 00:45, the user returns from their suspension and unlocks the device.
  • At 01:45, the user is prompted to sign in again based on the sign-in frequency requirement in the Provisional Admission policy configured by their administrator since the last sign-in happened at 00:45.

Persistence of browsing sessions

A persistent browser session allows users to remain signed in after closing and reopening their browser window.

The Azure AD default for browser session persistence allows users on personal devices to choose whether to persist the session by showing a "Stay signed in?" prompt after successful authentication. If browser persistence is configured in AD FS using the guidance in the article Advertisement FS Single Sign-On Settings, we will comply with that policy and persist the Azure Advertizement session as well. You can also configure whether users in your tenant see the "Stay signed in?" prompt by changing the appropriate setting in the company branding pane in Azure portal using the guidance in the article Customize your Azure AD sign-in folio.

Configuring authentication session controls

Provisional Access is an Azure Ad Premium adequacy and requires a premium license. If you would similar to learn more nigh Conditional Admission, see What is Conditional Admission in Azure Active Directory?

Alert

If you are using the configurable token lifetime characteristic currently in public preview, delight note that we don't back up creating two unlike policies for the same user or app combination: one with this characteristic and another 1 with configurable token lifetime feature. Microsoft retired the configurable token lifetime feature for refresh and session token lifetimes on January thirty, 2022 and replaced it with the Conditional Admission authentication session management feature.

Before enabling Sign-in Frequency, make sure other reauthentication settings are disabled in your tenant. If "Remember MFA on trusted devices" is enabled, be sure to disable information technology before using Sign-in frequency, every bit using these ii settings together may lead to prompting users unexpectedly. To learn more than about reauthentication prompts and session lifetime, run into the article, Optimize reauthentication prompts and understand session lifetime for Azure AD Multi-Factor Hallmark.

Policy 1: Sign-in frequency control

  1. Sign in to the Azure portal.

  2. Search for Azure Advertisement Provisional Access.

  3. Select Policies.

  4. Select + New policy.

  5. Select Create new policy.

  6. Choose all required conditions for customer's environment, including the target deject apps.

    Note

    It is recommended to set equal authentication prompt frequency for cardinal Microsoft Office apps such every bit Substitution Online and SharePoint Online for best user feel.

  7. Get to Access Controls > Session and click Sign-in frequency

  8. Enter the required value of days and hours in the commencement text box

  9. Select a value of Hours or Days from dropdown

  10. Relieve your policy

Conditional Access policy configured for sign-in frequency

On Azure Advertizement registered Windows devices sign in to the device is considered a prompt. For case, if yous have configured the sign-in frequency to 24 hours for Office apps, users on Azure AD registered Windows devices will satisfy the sign-in frequency policy by signing in to the device and will be not prompted again when opening Part apps.

Policy 2: Persistent browser session

  1. Sign in to the Azure portal.

  2. Search for Azure Advertizement Provisional Admission.

  3. Select Policies.

  4. Select + New policy.

  5. Select Create new policy.

  6. Choose all required conditions.

    Note

    Please note that this control requires to choose "All Cloud Apps" every bit a condition. Browser session persistence is controlled by hallmark session token. All tabs in a browser session share a single session token and therefore they all must share persistence state.

  7. Go to Access Controls > Session and click Persistent browser session

  8. Select a value from dropdown

  9. Save you policy

Conditional Access policy configured for persistent browser

Note

Persistent Browser Session configuration in Azure AD Conditional Admission volition overwrite the "Stay signed in?" setting in the company branding pane in the Azure portal for the aforementioned user if you lot accept configured both policies.

Validation

Use the What-If tool to simulate a login from the user to the target application and other conditions based on how yous configured your policy. The authentication session management controls bear witness up in the result of the tool.

Conditional Access What If tool results

Policy deployment

To make sure that your policy works equally expected, the recommended all-time exercise is to examination it earlier rolling it out into production. Ideally, apply a test tenant to verify whether your new policy works as intended. For more data, see the article Plan a Conditional Access deployment.

Known problems

  • If you lot configure sign-in frequency for mobile devices, authentication after each sign-in frequency internal would exist tedious (can take xxx seconds on average). Also, it could happen across various apps at the aforementioned time.
  • In iOS devices, if an app configures certificates as the get-go authentication factor and the app has both Sign-in frequency and Intune mobile awarding management policies applied, the finish-users volition be blocked from signing in to the app when the policy is triggered.

Next steps

  • If you are ready to configure Conditional Access policies for your environment, see the article Programme a Conditional Access deployment.