Azure AD Sigin page through custom policy gives Bad Request after idle time of 2 or 3 hours

Question

Azure AD Sigin page through custom policy gives Bad Request after idle time of 2 or 3 hours

Arsalan Younus 0

We have implemented a signin custom policy for azure ad b2c, the issue is when the user leaves the signin page opened up for a couple of hours (idle timespan is unknown) he often faces a "Bad Request" error when he clicks on sign in button.

Arsalan Younus 0 Reputation points

2025-04-04T12:19:54.6933333+00:00
Harshitha Eligeti 4,385 Reputation points Microsoft External Staff Moderator

2025-04-15T16:47:23.2766667+00:00

Hello @Arsalan Younus •
Following up to see if the suggestion was helpful. And, if you have any further query do let us know.
Harshitha Eligeti 4,385 Reputation points Microsoft External Staff Moderator

2025-04-16T17:49:53.1233333+00:00

Hello @Arsalan Younus •
Following up to see if the suggestion was helpful. And, if you have any further query do let us know.

1 answer

Your answer

Arsalan Younus 0 Reputation points

2025-04-04T12:19:54.6933333+00:00
Harshitha Eligeti 4,385 Reputation points Microsoft External Staff Moderator

2025-04-15T16:47:23.2766667+00:00

Hello @Arsalan Younus •
Following up to see if the suggestion was helpful. And, if you have any further query do let us know.
Harshitha Eligeti 4,385 Reputation points Microsoft External Staff Moderator

2025-04-16T17:49:53.1233333+00:00

Hello @Arsalan Younus •
Following up to see if the suggestion was helpful. And, if you have any further query do let us know.

Answer 1

Harshitha Eligeti 4,385 Microsoft External Staff Moderator

Hello @Arsalan Younus •
I understand that you've implemented a custom sign-in policy for Azure AD B2C, and the issue you're encountering occurs when a user leaves the sign-in page open for a couple of hours. When they try to sign-in, they are receiving a "Bad Request" error.

If the B2C session expires, you will encounter errors like this. This is a common scenario where the session has expired due to inactivity. To manage this, you need to review the session lifetime settings used in your B2C custom policy.
For Additional information refer this document: https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-user-flow
If you have any queries do let us know. We are happy to assist you further.

Arsalan Younus 0 Reputation points

2025-04-09T05:17:22.1433333+00:00

Hi @Harshitha Eligeti

Thanks for the reply.

I know session lifetime settings can create issues like this but once the user is signed out and he is on login screen, why is this setting considered because session is expired.

The issue is when user signs out and login screen appears then user leaves the system for a while like a couple of hours then he comes back and click on the sign in button on the same screen he left then the "Bad Request" issue appears.
Harshitha Eligeti 4,385 Reputation points Microsoft External Staff Moderator

2025-04-09T18:23:15.3766667+00:00

Hello @Arsalan Younus •
In this scenario, when you click the sign-out button, you're only signing out of the application itself, but the B2C session remains active. The B2C session lasts from the login screen to the logout screen. It will only end when you close the browser session; otherwise, the B2C session will remain active even if you're on the logout screen of the application.

If you have any queries do let us know. We are happy to assist you further.
Arsalan Younus 0 Reputation points

2025-04-10T06:09:40.6233333+00:00

The settings which i see in the documentation you shared referring to application session, can you point out which is setting for B2C session?
Harshitha Eligeti 4,385 Reputation points Microsoft External Staff Moderator

2025-04-10T18:07:57.94+00:00
Hello @Arsalan Younus
The Azure AD B2C session can be configured with the following scopes:

Tenant - This setting is the default. Using this setting allows multiple applications and user flows in your B2C tenant to share the same user session. For example, once a user signs into an application, the user can also seamlessly sign into another one upon accessing it.

Application - This setting allows you to maintain a user session exclusively for an application, independent of other applications. For example, you can use this setting if you want the user to sign in to Contoso Pharmacy regardless of whether the user is already signed into Contoso Groceries.

Policy - This setting allows you to maintain a user session exclusively for a user flow, independent of the applications using it. For instance, Azure AD B2C grants the user access to higher-security parts of multiple applications if the user has already signed in and completed a multifactor authentication (MFA) step. This access continues as long as the session associated with the user flow remains active.

Suppressed - This setting forces the user to run through the entire user flow upon every execution of the policy.

Change the value of the Scope attribute to one of the possible values: Suppressed, Tenant, Application, or Policy.

For Detailed information refer this document: https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#configure-the-custom-policy

If you have any queries do let us know. We are happy to assist you further.
Arsalan Younus 0 Reputation points

2025-04-11T07:11:36.8066667+00:00
Please clear my confusion.

You said there are two different sessions.

Application session which is responsible for maintaining user session after he is logged in and responsible for logging out the user according to the user activity and the settings done on Azure.

Azure B2C session which is being maintained even if the user is not logged in, which is in my case creating Bad Request issue even after the user is logged out and stay on login screen for a couple of hours.

If that is correct, please let me know where can i see the settings for both the sessions management.

Thanks
Harshitha Eligeti 4,385 Reputation points Microsoft External Staff Moderator

2025-04-14T17:56:14.4+00:00

Hello @Arsalan Younus •
you can see the settings for the token session management in your configured custom policy.
which describes in the following document: https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-custom-policy#configure-token-lifetime
If you have any queries do let us know. We are happy to assist you further.
Jakub Konečný 0 Reputation points

2025-06-26T10:38:21.4966667+00:00

Hello, do you have a solution for this issue? I'm experiencing the same problem, and it's causing major frustration for our customers. If you have any possible fix, I would greatly appreciate it if you could share it.

Share via

Azure AD Sigin page through custom policy gives Bad Request after idle time of 2 or 3 hours

1 answer

Your answer