Share via

Azure Conditional Access Sign-In Frequency

Lokesh Kumar 41 Reputation points
2021-06-15T08:49:01.933+00:00

Hello Team,

Looking for a solution on Conditional Access : Sign-In Frequency for the below scenario

I'm working on CA policy for user session management and used the Sign-In frequency feature based upon the device state

  • Managed Device : Users accessing application from managed device should get a longer session and will have persistent browser session for better user experience
  • Unmanaged Device : Users accessing from unmanaged device should get a restricted session.

The above use case is tested and results are positive, except with one case I'm facing a problem.

Issue
When Sign-In frequency is implemented for multiple application with tailored sessions, the end user facing below problem
For example :
If we have following configuration, when user access 2 application in same browser
App 1 - Sign-In Frequency : 1 Day
App 2 - Sign-In Frequency : 1 Hour
In this case, the user will be asked to re-authenticate themselves every one hour

By default the browser stores the most restrictive session in their local session storage, and users are sign-out frequently regardless of the policy designed.

Is there any way to overcome this problem ? Your suggestions would be much appreciated

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,643 questions
0 comments
Accepted answer
  1. VipulSparsh-MSFT 16,271 Reputation points Microsoft Employee
    2021-06-15T13:37:47.64+00:00

    @Lokesh Kumar Thanks for reaching out. The behavior you are seeing is by design as all the first party apps allow browsers to cache the ID token in browser local storage.
    So it will always use the latest session cookies.

    Changing browser or using inprivate session would help. But this will not change anything with respect to same browser multiple tab scenarios.

    If you are developing apps, you can use MSAL to use Session storage which does not allow the session to share between different tabs thus not allowing the browser to cache anything at local storage.

    -----------------------------------------------------------------------------------------------------------------

    If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.