Why does Azure AD require to enter user credentials for sign-in after sign-out?

Question

Why does Azure AD require to enter user credentials for sign-in after sign-out?

Дмитрий Семин 46

Hello!
I want to understand SSO concept.

I am signed-in in portal.azure.com
I open Loginpage of my app and press button "Login by Microsoft"
I am signed-in in my app automatically (AAD doesn't require to enter my credentials)
I do log out from my app.
I open Loginpage of my app and press button "Login by Microsoft" again.
AAD requires to enter my credentials

Why AAD requires my credentials after logout?
What is changed before second login attempt comparing before first login attempt?

I work on Asp.net Framework and use OWIN and OpenId Connect.

Accepted answer

0 additional answers

Your answer

Answer 1

AmanpreetSingh-MSFT 56,871 Moderator

Hi @Дмитрий Семин · Thank you for reaching out.

If you organization has configured Azure Active Directory Seamless Single Sign-On or If the devices are Azure AD Registered/Azure AD Joined/Azure AD Hybrid Joined, users automatically sign into web application under currently logged in user's context using PRT (Primary Refresh Token). However, when user explicitly signs out of the application, the PRT cookie and Session cookies are explicitly marked as expired and are invalidated. Which is why at the next sign-in user is required to enter his/her credentials.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Дмитрий Семин 46 Reputation points

2021-02-25T10:58:29.737+00:00

@AmanpreetSingh-MSFT thank you for reply! Could you please give me links with reference/description of Primary Refresh Token? I didn't find out mention about this in OpenId Connect Core Spec.
AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2021-02-25T12:29:25.43+00:00

Hi @Дмитрий Семин Please find the link to the PRT document below:
https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token
Дмитрий Семин 46 Reputation points

2021-02-25T15:16:36.857+00:00

Is PRT for Azure AD only?
I think it is for all OIDC Idps, isn't?
Дмитрий Семин 46 Reputation points

2021-02-26T08:46:58.833+00:00

@AmanpreetSingh-MSFT I just registered my app in Azure AD. Is it a Azure AD registered scenario or not?
AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2021-02-26T14:10:13.58+00:00

Hi @Дмитрий Семин · PRT is issued only when a device is registered or joined to Azure AD and it is bound to the Device. OIDC IDPs provide Refresh Token which is different than PRT and Refresh tokens are bound to application and not to the device.
AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2021-02-26T14:14:16.663+00:00

Hi @Дмитрий Семин · Registering App in Azure AD is different than registering device in Azure AD. PRTs are issued only when devices are joined/registered to AAD and it is bound to the device. When an app is registered in AAD, no PRT is issued and only standard long lived Refresh token (90 days by default) is issued to the app which is redeemed by the application to acquire new short lived access token (1 hr. by default).
Дмитрий Семин 46 Reputation points

2021-02-26T15:58:13.047+00:00
Is Refresh token issued after app registration (not after first authentication request)?

Does AAD require to enter my credentials after sign-out beacouse I invalidated Refresh token?
AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2021-03-01T11:53:51.95+00:00
Hi @Дмитрий Семин ·

When you do app registration, you basically federate the application with Azure AD, so that application can authenticate against Azure AD. Once authentication is done, Access Token and Refresh Token pair is issued.

Yes, when you sign-out, all authentication tokens and cookies are invalidated and re-login is required for subsequent logins.

Share via

Why does Azure AD require to enter user credentials for sign-in after sign-out?

0 additional answers

Your answer