Similar like last week, this week is still about conditional access. This week is about the recently introduced session control of Sign-in frequency (preview). It was already possible to configure the token lifetime, as a preview feature, but this new session control (maybe in a way in combination with the session control of last week) will replace that preview feature. In this post I’ll start with a short introduction about this new session control and the behavior that the session control controls. After that I’ll show the configuration steps, followed by the end-user experience.
Introduction
Now let’s start with a short introduction about the Sign-in frequency (preview) session control. The sign-in frequency defines the time period before a user is asked to sign in again when attempting to access the configured cloud app. The default configuration for user sign-in frequency is a rolling window of 90 days. The Sign-in frequency (preview) session control works with apps that have implemented OATH2 or OIDC protocols according to the standards.
Before starting with looking at the configuration, it’s good to keep the following in mind:
- It’s not supported to use the configurable token lifetime feature and this Sign-in frequency (Preview) session control for the same user or app combination;
- It’s recommended to set equal authentication prompt frequency, for important Office apps such as Exchange Online and SharePoint Online, for best user experience;
- When using Azure AD registered Windows devices the sign-in to the device is considered a prompt;
- When using different sign-in frequencies, for different web apps, that are running in the same browser session, the strictest policy will be applied to both apps (share a single session token);
Configuration
Let’s continue by having a look at the configuration options. Let’s do that by looking at a simple scenario that is focused on the Sign-in frequency access control. That scenario is to have a sign-in frequency of once a day on any platform, for accessing any cloud app, on any device. The following seven steps walk through that scenario.
1 | Open the Azure portal and navigate to Microsoft Intune > Conditional access > Policies or navigate to Azure Active Directory > Conditional access > Policies to open the Conditional Access – Policies blade; |
2 | On the Conditional Access – Policies blade, click New policy to open the New blade; |
3 |
Explanation: This configuration will make sure that this conditional access policy is applicable to all users. |
4 |
Explanation: This configuration will make sure that this conditional access policy is applicable to all cloud apps. |
5 |
On the New blade, there is no need to select the Conditions assignment; Explanation: This configuration will make sure that this conditional access policy is applicable to all platforms, locations, client apps and device states. |
6 |
Explanation: This configuration will make sure that this conditional access policy will require a sign-in frequency of once a day, for the assigned users, to the assigned cloud apps. Note: The number can be any value between 1 and 23 when Hours is selected as unit and the number can be any value between 1 and 365 when Days is selected as unit. |
7 | Open the New blade, select On with Enable policy and click Create; |
Note: Keep in mind that the Sign-in frequency control is still in preview.
End-user experience
Now let’s end this post by having a look at the end-user experience. For testing the end-user experience, I simply opened a browser session with one of the Office apps and waited until the configured sign-in frequency passed. After that I received the message “Your organizational policy requires you to sign-in again after a certain time period”, which is also shown below.
More information
For more information regarding conditional access and sign-in frequency, please refer to the following article
- Manage authentication sessions in Azure AD conditional access is now in public preview!: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Manage-authentication-sessions-in-Azure-AD-conditional-access-is/ba-p/500983
- Configure authentication session management with conditional access: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.
Peter,
Great article, very informative. I’m hoping you can help me solve a conditional access requirement. How would I make non-compliant users adhere to a sign-in frequency while not affecting compliant devices?
I have a conditional access for company phones that do not prompt MFA/password if Azure AD bound, compliant, and/or trusted locations.
Hi Jay,
You could look at excluding that device state.
Regards, Peter
Just to make sure I better understand this setting. If applied, it’s no longer a rolling window? So you enforce a logon (password prompt) at the selected frequency?
When using an Azure AD registered device, then a user that logs on the device will not see other password prompts? In both apps and browsers?
Regards, Kaj
Hi Kaj,
It’s basically adjusting the Azure AD default.
Regards, Peter
What happens if you select the option in your browser to cache your credentials when you sign into the Session?
Does this mean your password automatically populates in the sign in box and potentially leaves a user’s account exposed on an unmanaged device ?
Hi Bob,
This will just “manage” the sign-in frequency for the user. It does not manage the cache of browser.
Regqrds, Peter
PS: When you want to work with persistent browser sessions, you can look at this: https://petervanderwoude.nl/post/conditional-access-and-persistent-browser-sessions/
Could you clarify/confirm someting on the user experience for me. Currently we have CA policies in place that do not take advantage of sign-in frequency. If we enable sign-in frequency for 30 days, will users be prompted to authenicate 30 days from now? IE Everyone at the same time? OR is the sign-in frequency more like 30 days from the last time each individual user last authenticated therefore spreading out all users accross the next 30 days?
Hi Manoj,
There are more data points. For a better understanding have a look at the documented examples: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime#user-sign-in-frequency
Regards, Peter
Yes I have previously read this page though I don’t think it answers my question. Adding some additional context to previous scenario. All user devices are iOS and Android using MSFT mobile apps.
Hi Manoj,
To my knowledge, the required data points are always available and don’t start counting when you enable the sign-in frequency in CA. Main reason for that statement is that the default sign-in frequency is always applicable in the first place.
Regards, Peter
Hi, first of all thank you to take time and write this awesome article.
We use Azure AD App Proxy service to publish our Line of Business application to internet.
We also use Conditional Access to force MFA for LoB applications.
As i understand Sign-in frequency and Perssistant Browser Session works only for cloud apps.
There is any way to apply it to LoB applications also?
Thank you.
Hi Taryel,
Have a look at the docs here: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime#user-sign-in-frequency
At this moment it works with “apps that have implemented OAUTH2 or OIDC protocols according to the standards” and with “SAML applications as well, as long as they do not drop their own cookies and are redirected back to Azure AD for authentication on regular basis“.
Regards, Peter