Azure CA / MFA and periodic reauthentication, what's the criteria?

Question

Azure CA / MFA and periodic reauthentication, what's the criteria?

Nils Norell 20

Hello, Since setting up conditional access with session controls of a sign in frequency / periodic reauthentication of 7 days with persistent browser sessions, there are a few things that I find difficult to understand how they work. Once you've approved an MFA challenge, what determines whether you're going to get another one within 7 days or not? Are you whitelisted if you're accessing a service from the same external ip? or with the same account? or with the same device? All within the space of those 7 days I mean. For instance, I logged in to OWA, and then I'm not getting an MFA challenge for the cisco anyconnect VPN client that is also AAD integrated with an enterprise application, so what exactly is producing this result? Thanks so much, hoping to get some understanding on the subject! //Nils

Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator

2023-05-10T03:31:36.34+00:00

@Nils Norell

I am following up to see if you were able to follow the action plan suggested below. Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer" and rate your experience. This will help us and others in the community as well.

Thanks,

Akshay Kaushik
Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator

2023-05-12T08:20:38.26+00:00

@Nils Norell

I am checking here to see if you have any further queries on this, please do let me know. However if you feel that your query has been answered, Please "Accept the answer" and rate your experience, response would be appreciated. This will help us and others in the community as well.

Thanks,

Akshay Kaushik

Accepted answer

0 additional answers

Your answer

Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator

2023-05-10T03:31:36.34+00:00

@Nils Norell

I am following up to see if you were able to follow the action plan suggested below. Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer" and rate your experience. This will help us and others in the community as well.

Thanks,

Akshay Kaushik
Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator

2023-05-12T08:20:38.26+00:00

@Nils Norell

I am checking here to see if you have any further queries on this, please do let me know. However if you feel that your query has been answered, Please "Accept the answer" and rate your experience, response would be appreciated. This will help us and others in the community as well.

Thanks,

Akshay Kaushik

Answer 1

Akshay-MSFT 17,956 Microsoft Employee Moderator

@Nils Norell

Thank you for posting your query on Microsoft Q&A.

From the above description I understand that you are looking how does Azure AD CA policy identify whether reauthentication is needed after defined period or not. Please do correct me if you have any discrepancy.

This policy does evaluate the condition based on "refresh token" lifetime.

For example if you have set periodic reauthentication of 7 days with persistent browser sessions, then every time user tries access any of the cloud applications (part of CA policy), the access token will be granted only after validating the life time of refresh token user session is holding.

If the refresh token was issued within last 7 days, then user will get access token to access the application, however if refresh token was issued more than 7 days ago, then user will be prompted for reauthentication.
The lifetime of refresh token is calculated from date of issuance by Azure AD.

Please do let me know if you have any further queries in the comments section.

Thanks,

Akshay Kaushik

Please "Accept the answer" (Yes), and share your feedback if the suggestion works as per your business need. This will help us and others in the community as well.

Nils Norell 20 Reputation points

2023-04-25T07:39:35.9633333+00:00

@Akshay-MSFT Thanks so much! Can you please elaborate a bit? Is the token stored on the clients? Is it dependant on from where you logged in? (IP Address) With 7 days reauth, if I logged in from the office on monday and from home on thursday, what would happen and why? Thanks! //Nils
Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator

2023-05-03T06:26:00.62+00:00
@Nils Norell

I was on a break for sometime so was not able to respond earlier. PFB answer inline :

Can you please elaborate a bit? Is the token stored on the clients?

Yes, the token is stored under Client (application, browser or broker application (authenticator or company portal))

Is it dependant on from where you logged in? (IP Address) With 7 days reauth, if I logged in from the office on monday and from home on thursday, what would happen and why?

Ideally no, until the token is valid there won't be any prompt for reauthentication as it it still meeting the criteria you set in CA policy, however if there is a location based CA policy which does not allow access from non trusted location, then session could be impacted.

Thanks,

Akshay Kaushik

Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.
Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator

2023-05-04T04:12:38+00:00

@Nils Norell

Hope you got a chance to review the action plan suggested below. Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer" and "share you feedback (Yes)". This will help us and others in the community as well.

Thanks,

Akshay Kaushik

Share via

Azure CA / MFA and periodic reauthentication, what's the criteria?

0 additional answers

Your answer