Share via

Help me understand non-interactive logins

Bryan 20 Reputation points
2023-07-04T19:01:13.0233333+00:00

Hey, I'm just trying to understand non interactive log ins, specifically if I reset a users password, does that revoke the tokens the apps are using to sign in with? Or do I have to somehow revoke those tokens as well?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Accepted answer
  1. Konstantinos Passadis 19,591 Reputation points MVP
    2023-07-04T19:23:58.2166667+00:00

    Hello @Bryan !

    Welcome to Microsoft QnA!

    Here are some details on your query :

    Noninteractive authentication can only be used after an interactive authentication has taken place. During noninteractive authentication, the user does not input logon data, instead, previously established credentials are used.

    Noninteractive authentication is performed when an application uses the Security Support Provider Interface (SSPI) and a security package to establish a secure network connection. Noninteractive authentication is the mechanism at work when a user connects to multiple machines on a network without having to re-enter logon information for each machine. For example, if an application needs to open a secure folder on a remote machine and the application user is already interactively logged on to a domain account, the application does not require the user to supply logon data again. Instead, the application can request a noninteractive authentication by using SSPI to pass the previously established security information to a security package. The security package then uses LSA functions to check the credentials. The following diagram illustrates this procedure.

    noninteractive authentication

    Link : https://learn.microsoft.com/en-us/windows/win32/secauthn/noninteractive-authentication

    Also :

    When you reset a user's password in Azure Active Directory (AAD), it does not automatically revoke the existing tokens issued to the user. The tokens are typically valid until their expiration time, regardless of whether the user's password has been reset.

    To ensure that the user is prompted to authenticate again and obtain new tokens after a password reset, you can employ one or both of the following approaches:

    *Set the "forcePasswordChange" flag: When resetting the user's password, you can set the "forcePasswordChange" flag to true. This flag will prompt the user to change their password upon their next sign-in, effectively invalidating their existing tokens. The user will be required to provide the new password during the next authentication.*

*Use token revocation: You can implement token revocation in your application to explicitly revoke the user's existing tokens after a password reset. To achieve this, you can use the Azure AD Graph API or Microsoft Graph API to revoke the tokens associated with the user. By revoking the tokens, the user will be required to sign in again and obtain new tokens.*

    It's worth noting that revoking tokens may impact the user's experience, as they will need to re-authenticate and obtain new tokens for all the applications they were previously signed in to. Consider the implications and user experience when deciding to revoke tokens after a password reset.

    Additionally, keep in mind that the approach for revoking tokens may differ depending on the specific identity platform or authentication library you are using in your application. Consult the documentation or resources provided by the identity platform or library to understand the recommended approach for token revocation in your specific context.

    I hope this helps!

    The answer or portions of it may have been assisted by AI Source: ChatGPT Subscription

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards

    8 people found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Konstantinos Passadis 19,591 Reputation points MVP
    2023-07-04T21:59:08.88+00:00

    Hello @Bryan !

    What are non-interactive logins?

     Non-interactive user sign-ins are sign-ins that were performed by a client app or an OS component on behalf of a user. Like interactive user sign-ins, these sign-ins are done on behalf of a user. Unlike interactive user sign-ins, these sign-ins do not require the user to supply an Authentication factor. Instead, the device or client app uses a token or code to authenticate or access a resource on behalf of a user. In general, the user will perceive these sign-ins as happening in the background of the user’s activity.

     

    Some activity that is captured in these logs:

    • A client app uses an OAuth 2.0 refresh token to get an access token.
    • A client uses an OAuth 2.0 authorization code to get an access token and refresh token.
    • A user performs single sign-on (SSO) to a web or Windows app on an Azure AD joined PC.
    • A user signs in to a second Microsoft Office app while they have a session on a mobile device using FOCI (Family of Client IDs).

     Source : https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/non-interactive-logins-minimizing-the-blind-spot/ba-p/2287932

    Access Tokens :

    Access tokens and refresh tokens are frequently used with thick client applications, and also used in browser-based applications such as single page apps.

    When users authenticate to Azure Active Directory (Azure AD), part of Microsoft Entra, authorization policies are evaluated to determine if the user can be granted access to a specific resource.

If authorized, Azure AD issues an access token and a refresh token for the resource.

Access tokens issued by Azure AD by default last for 1 hour. If the authentication protocol allows, the app can silently reauthenticate the user by passing the refresh token to the Azure AD when the access token expires.

    Azure AD then reevaluates its authorization policies. If the user is still authorized, Azure AD issues a new access token and refreshes token.

    Access tokens can be a security concern if access must be revoked within a time that is shorter than the lifetime of the token, which is usually around an hour. For this reason, Microsoft is actively working to bring continuous access evaluation to Office 365 applications, which helps ensure invalidation of access tokens in near real time.

    When access is revoked

    Once admins have taken the above steps, the user can't gain new tokens for any application tied to Azure Active Directory. The elapsed time between revocation and the user losing their access depends on how the application is granting access:

    For applications using access tokens, the user loses access when the access token expires.

For applications that use session tokens, the existing sessions end as soon as the token expires. If the disabled state of the user is synchronized to the application, the application can automatically revoke the user's existing sessions if it's configured to do so. The time it takes depends on the frequency of synchronization between the application and Azure AD.

    Source : https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/users-revoke-access

    Regarding the Follow Up:

    Non Interactive Logins can come from a Secure VPN , or a Remote Access Session , also MFA is a an example of Authentication without physical presence or "interactive" session

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.