sign in frequency (with conditional access) is not being honored

Prakash Patil 1 Reputation point
2021-11-30T03:24:01.79+00:00

We are looking for forcing a user to sign in every x hours (if he/she has not recently authenticated or unlocked the device) and have implemented a conditional access policy. (FYI - apps are Service Now, Salesforce).

We have configured SSO/MFA and created the conditional access policies for persistence session AND a separate policy for sign in frequency (example, 1 hour). We have used the What If tool to check to makes sure these policies are being applied to the users.

Problem - the user is logged in for more than the amount of time defined with sign in frequency and is not logged out or timed out.

What we have already tried:
This feature works properly with Azure Portal but doesn't seem to work for any other app.
The docs state that this should work for SAML too unless the app uses a unique cookie etc. which is not the case.
We also tried converting the integration with OAUTH2/OIDC but doesn't seem to help
We understand that unlocking a device is a sign in event so have made sure that this is not happening

Question:
Is the sign in frequency supposed to work for non Microsoft apps?
Does this feature work with hybrid AD devices (On prem domain joined, using ADC to sync accounts to AD and integration)?
Does this feature depend on "persistence session"? Dont think if seamless SSO is working prpoperly.
Any example of any other app that this is working properly ?

Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,591 questions
{count} votes

4 answers

Sort by: Most helpful
  1. Prakash Patil 1 Reputation point
    2021-12-06T22:47:55.147+00:00

    Thanks for the reply. We are not using WHB but understand the lock/unlock refresh event.

    The specific correlation id is 5bdcdf89-0995-4859-9855-54f97cda3067.

    We are to open a case with MSFT too. Thanks


  2. Prakash Patil 1 Reputation point
    2021-12-08T22:53:28.877+00:00

    unfortunately, we don't use any office 365 or Outlook/OWA apps.

    0 comments No comments

  3. Mr Sbaa 356 Reputation points
    2021-12-08T23:51:10.563+00:00

    Microsoft says the following:

    The sign-in frequency setting works with SAML applications as well, as long as they do not drop their own cookies and are redirected back to Azure AD for authentication on regular basis.

    Source: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime#user-sign-in-frequency

    So make sure your app meets the requirements. Since you mentioned that it works with Azure portal, my guess would be that the issue is with the app itself and the configuration of it.

    0 comments No comments

  4. Prakash Patil 1 Reputation point
    2021-12-09T00:35:36.407+00:00

    thanks. i did mention earlier that we checked these conditions for cookie and reauth. Any ways, thanks for your help.

    0 comments No comments