How to make an azure "enterprise application" always ask for a password ?

Araos Carvacho Rene Antonio 1 Reputation point
2022-11-28T19:37:54.713+00:00

Hello

I need to make one of Azure's "enterprise applications" always ask for a password, not use the login/session already established in the browser.

I found in the conditional accesses, an option in "login frequency" but it doesn't allow to assign the option "every time".

Any idea how to achieve that?

Thanks and regards

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,602 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Vasil Michev 100.2K Reputation points MVP
    2022-11-28T21:06:21.65+00:00

    That really depends on how the application is coded. If it's an application you are in charge of, one method would be to add the ?prompt=login parameter. Read about it here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#request-an-authorization-code

    prompt optional Indicates the type of user interaction that is required. Valid values are login, none, consent, and select_account.

    • prompt=login forces the user to enter their credentials on that request, negating single-sign on.
    • prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error.
    • prompt=consent triggers the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app.
    • prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.

  2. Akshay-MSFT 17,656 Reputation points Microsoft Employee
    2022-12-05T12:42:29.377+00:00

    Hello @ArosCavachoReneAntonio-8655,

    As per https://learn.microsoft.com/en-in/azure/active-directory/conditional-access/concept-conditional-access-session#sign-in-frequency as of now only following first party application support sign in frequency feature within conditional access policy.

    1. Word, Excel, PowerPoint Online
    2. OneNote Online
    3. Office.com
    4. Microsoft 365 Admin portal
    5. Exchange Online
    6. SharePoint and OneDrive
    7. Teams web client
    8. Dynamics CRM Online
    9. Azure portal

    For any inhouse application we need to include prompt=login parameter as suggested by our community expert above and defined in MSAL Oauth flow: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#request-an-authorization-code.

    Please do let us know if you have any further queries in the comments section.

    Thanks,
    Akshay Kaushik

    Please "Accept the answer", "Upvote" and rate your experience if the suggestion works as per your business need. This will help us and others in the community as well.

    0 comments No comments