Share via

Only one session must be active for a user account at any one time

RATNAPARKHE, NITESH 20 Reputation points
2024-12-04T10:42:28.29+00:00

I am using Azure AD for managing user authentication in my angular web application. I want to ensure only one user session in active at a given point of time. How can I achieve this when using Azure AD? More details regarding my requirement below.

A second login with the same user account must be prevented. Alternatively, a second login can be permitted; in this case, the first session must be terminated. This variant can be reasonable to prevent a user account from being temporarily blocked, for example, due to the browser being closed or crashing without the user first logging out.

It is recommended that the web application shows the user a warning message when he logs in but a session for this user account is already in progress. This increases the probability that attacks on accounts will be detected.

However, there are web applications that are explicitly designed for access via various channels (web, mobile, TV) or permit multiple logins for other reasons. But in such exceptional cases, it is recommended that the user then has the option of deliberately terminating the other parallel sessions via a corresponding function, for example, in the case of a password change.

If several sessions are active simultaneously for a user account, this may mean that different users are using the account at the same time or that a successful attack is taking place

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Harshitha Eligeti 4,380 Reputation points Microsoft External Staff Moderator
    2024-12-05T20:56:39.5066667+00:00

    Hi @ RATNAPARKHE, NITESH • 

    Thank you for sharing your issue on Microsoft Q&A. 

    I understand that you are using Azure AD (or Microsoft Entra ID) for managing user authentication in your Angular web application. You want to ensure that only one active session per user exists at any given point in time. 

    To restrict users to a single active session, ensure that when a user logs in from a second device or browser, the first session is terminated. This helps prevent unauthorized access or account misuse due to multiple concurrent sessions. 

    In user’s session is unexpectedly closed (e.g., browser crash), users should be able to log in again without being blocked. This allows users to continue working without being blocked after unintentional session terminations.  

    Allow users to view and manage their active sessions, especially during events like password changes or when logging in from multiple devices. This provides control and security. 

    With session management in Azure AD, sessions are stored in the user's browser and validated during subsequent authentication requests, preventing multiple simultaneous sessions for the same user. 

    Additionally, you can enhance security by using conditional access policies and multi-factor authentication (MFA). By configuring policies to control sign-in frequency and persistent browser sessions, you can ensure that users are periodically required to re-authenticate, reducing the risk of concurrent sessions. 

    For additional information, refer this link: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-session

    Hope this helps. Do let us know if you have any further queries. 

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    Best Regards. 
    Harshitha Eligeti. 

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.