Azure B2C session timeout

Question

Azure B2C session timeout

Ujwal Potluri 0

We have a requirement to limit the Azure B2C session to 15 minutes so I put in the following snippet in our custom policy. This is for a sign in policy. After the user signs in by entering email and password, we have a MFA step. When I leave the page over there for 2 hours and come back, the session didn't timeout and I was able to move forward in the policy by entering the MFA code and log into the app. I tried different options of scope and expiry type but none of them seems to be working. I would really appreciate if someone can help me with this.

<SingleSignOn Scope="Application" />
<SessionExpiryType>Absolute</SessionExpiryType>
<SessionExpiryInSeconds>900</SessionExpiryInSeconds>

1 answer

Your answer

Answer 1

Sakshi Devkante 2,040 Microsoft External Staff

Hello Ujwal,

Thank you for posting your query on Microsoft Q&A.

I understand that you would like to have the browser cookies session expire after 15 minutes of inactivity.

Please note that cookies session timeout is controlled by features in Azure B2C; KeepAliveInDays and SessionExpiryInSeconds. Once the KeepAliveInDays isn't enabled, then the SessionExpiryInSeconds handles the session timeout which is the case here.

However, I noticed that you set the SessionExpiryType to Rolling which indicates that the session is extended every time the user performs a cookie-based authentication. This is the default behavior.

To resolve this, kindly change the SessionExpiryType to Absolute which indicates that the user is forced to reauthenticate after the period specified. Also, make sure you aren’t passing the parameter prompt=login to AAD B2C.

User's image

Follow this link (https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#configure-azure-ad-b2c-session-behavior) to learn more about information about Azure AD B2C Session behavior.

Ensure that these settings are placed in the correct location within your policy. Typically, session expiry settings should be within the OrchestrationStep that handles the sign-in and the MFA part. If it’s placed in the wrong part of the policy, it might not be applied where expected.

So, the solution is to look at the token lifetime behavior.

The default is 60 minutes (1 hour). The minimum (inclusive) is 5 minutes. The maximum (inclusive) is 1,440 minutes (24 hours).

So kindly set your token lifetime to 15 mins. This should be Access and ID token lifetimes

Follow this link https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-custom-policy to get more information about this.

You can configure the Azure AD B2C session behavior, including:

Web app session lifetime (minutes) - The amount of time the Azure AD B2C session cookie is stored on the user's browser after successful authentication. You can set the session lifetime up to 24 hours.

Web app session timeout - Indicates how a session is extended by the session lifetime setting or the Keep me signed in (KMSI) setting. Rolling - Indicates that the session is extended every time the user performs a cookie-based authentication (default). Absolute - Indicates that the user is forced to re-authenticate after the time period specified.

User's image

For more details you can refer this QnA post on same issue:
1.https://learn.microsoft.com/en-us/answers/questions/1347290/understanding-b2c-web-app-session-timeout
2. https://learn.microsoft.com/en-us/answers/questions/1103098/azure-ad-b2c-custom-policy-saml-token-lifetime-ses

Documents: https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens#token-timeouts.
More info https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/token-lifetimes.md#token-lifetimes-expiration-and-renewal
https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/4056#issuecomment-917246299

I hope this clarifies things.

Sakshi Devkante 2,040 Reputation points Microsoft External Staff

2025-02-28T17:26:46.9466667+00:00

Hello Ujwal,

I am following up to see if the suggestion provided above was helpful to you. If you have any further questions or need additional assistance, please don’t hesitate to reach out.
Ujwal Potluri 0 Reputation points

2025-02-28T19:58:18.41+00:00

If you see my XML snippet, I am already using Application as scope and not rolling.

When you say "Typically, session expiry settings should be within the OrchestrationStep that handles the sign-in and the MFA part", where exactly I should be putting these settings? Because documentation says it needs to be under UserJourneyBehaviors.

Kancharla Saiteja 1,985 Microsoft External Staff

Hi Ujwal Potluri,

Thanks for your response,

Based on your query, you would like to know where exactly you would like to add the userJourneyBehaviors.

As you choose Absolute which is perfect to clear the session time out based on the time specified and you can have this KeepAliveInDays to "0" to disable KeepMeSignedIn.

Since you would like to implement this for Application you can have scope as Application as you have already specified.

The following example shows a RelyingParty element in the B2C_1A_signup_signin policy file:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TrustFrameworkPolicy
  xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="https://www.w3.org/2001/XMLSchema"
  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
  PolicySchemaVersion="0.3.0.0"
  TenantId="your-tenant.onmicrosoft.com"
  PolicyId="B2C_1A_signup_signin"
  PublicPolicyUri="http://your-tenant.onmicrosoft.com/B2C_1A_signup_signin">
  <BasePolicy>
    <TenantId>your-tenant.onmicrosoft.com</TenantId>
    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
  </BasePolicy>
  <RelyingParty>
    <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
    <UserJourneyBehaviors>
      <SingleSignOn Scope="Application" KeepAliveInDays="0"/>
      <SessionExpiryType>Absolute</SessionExpiryType>
      <SessionExpiryInSeconds>900</SessionExpiryInSeconds>
      <JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="your-application-insights-key" DeveloperMode="true" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0" />
      <ContentDefinitionParameters>
        <Parameter Name="campaignId">{OAUTH-KV:campaignId}</Parameter>
      </ContentDefinitionParameters>
    </UserJourneyBehaviors>
    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Description>The policy profile</Description>
      <Protocol Name="OpenIdConnect" />
      <Metadata>collection of key/value pairs of data</Metadata>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="displayName" />
        <OutputClaim ClaimTypeReferenceId="givenName" />
        <OutputClaim ClaimTypeReferenceId="surname" />
        <OutputClaim ClaimTypeReferenceId="email" />
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
        <OutputClaim ClaimTypeReferenceId="identityProvider" />
        <OutputClaim ClaimTypeReferenceId="loyaltyNumber" />
      </OutputClaims>
      <SubjectNamingInfo ClaimType="sub" />
    </TechnicalProfile>
  </RelyingParty>
  ...

Please let me know if you have any further queries by responding here.

Ujwal Potluri 0

Below is how my configuration is but when I stay on a MFA page for even 45 minutes, I am still able to send verification code and move forward to login into the app.

<RelyingParty>
    <DefaultUserJourney ReferenceId="SigninMagicLinkOrSms" />
    <Endpoints>
      <Endpoint Id="Token" UserJourneyReferenceId="RedeemRefreshToken" />
    </Endpoints>
    <UserJourneyBehaviors>
      <SingleSignOn Scope="Application"  KeepAliveInDays="0"/>
      <SessionExpiryType>Absolute</SessionExpiryType>
      <SessionExpiryInSeconds>900</SessionExpiryInSeconds>

Sakshi Devkante 2,040 Reputation points Microsoft External Staff

2025-03-04T10:48:26.8133333+00:00

Hello Ujwal,

Upon reviewing the information provided, it appears that the configuration discussed earlier and the response provided on the thread were specifically in relation to session expiry after logging into the application. This may not have been directly applicable to the MFA page session. It's possible that there was a misunderstanding, and I would like to clarify.

In terms of session timeout during the sign-in process, it is indeed possible to configure the session timeout via a custom policy. However, it is important to note that Azure AD B2C does not initiate a session until the user has completed the sign-up or sign-in process. Until that point, there is no active session in B2C.

Please once go through this document: https://techcommunity.microsoft.com/blog/fasttrackforazureblog/azure-ad-b2c-user-journey-time-out-through-custom-policy/3662070

I hope this helps clarify the situation
Sakshi Devkante 2,040 Reputation points Microsoft External Staff

2025-03-06T14:54:45.4533333+00:00

Hello,

I am following up to see if the suggestion provided above was helpful to you. If you have any further questions or need additional assistance, please don’t hesitate to reach out.
Sakshi Devkante 2,040 Reputation points Microsoft External Staff

2025-03-07T15:12:57.9033333+00:00

Hello,

I hope you're doing well. I just wanted to follow up and see if you had any updates regarding the thread. I haven’t heard back from you and wanted to make sure everything is going smoothly.

Share via

Azure B2C session timeout

1 answer

Your answer