Similar like last week, this week is still about conditional access. This week is about the recently introduced session control of Sign-in frequency (preview). It was already possible to configure the token lifetime, as a preview feature, but this new session control (maybe in a way in combination with the session control of last week) will replace that preview feature. In this post I’ll start with a short introduction about this new session control and the behavior that the session control controls. After that I’ll show the configuration steps, followed by the end-user experience.
Now let’s start with a short introduction about the Sign-in frequency (preview) session control. The sign-in frequency defines the time period before a user is asked to sign in again when attempting to access the configured cloud app. The default configuration for user sign-in frequency is a rolling window of 90 days. The Sign-in frequency (preview) session control works with apps that have implemented OATH2 or OIDC protocols according to the standards.
Before starting with looking at the configuration, it’s good to keep the following in mind:
- It’s not supported to use the configurable token lifetime feature and this Sign-in frequency (Preview) session control for the same user or app combination;
- It’s recommended to set equal authentication prompt frequency, for important Office apps such as Exchange Online and SharePoint Online, for best user experience;
- When using Azure AD registered Windows devices the sign-in to the device is considered a prompt;
- When using different sign-in frequencies, for different web apps, that are running in the same browser session, the strictest policy will be applied to both apps (share a single session token);
Let’s continue by having a look at the configuration options. Let’s do that by looking at a simple scenario that is focused on the Sign-in frequency access control. That scenario is to have a sign-in frequency of once a day on any platform, for accessing any cloud app, on any device. The following seven steps walk through that scenario.
|1||Open the Azure portal and navigate to Microsoft Intune > Conditional access > Policies or navigate to Azure Active Directory > Conditional access > Policies to open the Conditional Access – Policies blade;|
|2||On the Conditional Access – Policies blade, click New policy to open the New blade;|
On the New blade, provide a unique name and select the Users and groups assignment to open the Users and groups blade. On the Users and groups blade,, on the Include tab, select All users and click Done to return to the New tab;
Explanation: This configuration will make sure that this conditional access policy is applicable to all users.
Explanation: This configuration will make sure that this conditional access policy is applicable to all cloud apps.
On the New blade, there is no need to select the Conditions assignment;
Explanation: This configuration will make sure that this conditional access policy is applicable to all platforms, locations, client apps and device states.
On the New blade, select the Session access control to open the Session blade. On the Session blade, select Sign-in frequency (preview), add 1, select Days and click Select to return to the New blade;
Explanation: This configuration will make sure that this conditional access policy will require a sign-in frequency of once a day, for the assigned users, to the assigned cloud apps.
Note: The number can be any value between 1 and 23 when Hours is selected as unit and the number can be any value between 1 and 365 when Days is selected as unit.
|7||Open the New blade, select On with Enable policy and click Create;|
Note: Keep in mind that the Sign-in frequency control is still in preview.
Now let’s end this post by having a look at the end-user experience. For testing the end-user experience, I simply opened a browser session with one of the Office apps and waited until the configured sign-in frequency passed. After that I received the message “Your organizational policy requires you to sign-in again after a certain time period”, which is also shown below.
For more information regarding conditional access and sign-in frequency, please refer to the following article
- Manage authentication sessions in Azure AD conditional access is now in public preview!: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Manage-authentication-sessions-in-Azure-AD-conditional-access-is/ba-p/500983
- Configure authentication session management with conditional access: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime