This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 84%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPP%3C/text%3E%3C/svg%3E)
We are looking for forcing a user to sign in every x hours (if he/she has not recently authenticated or unlocked the device) and have implemented a conditional access policy. (FYI - apps are Service Now, Salesforce).
We have configured SSO/MFA and created the conditional access policies for persistence session AND a separate policy for sign in frequency (example, 1 hour). We have used the What If tool to check to makes sure these policies are being applied to the users.
Problem - the user is logged in for more than the amount of time defined with sign in frequency and is not logged out or timed out.
What we have already tried:
This feature works properly with Azure Portal but doesn't seem to work for any other app.
The docs state that this should work for SAML too unless the app uses a unique cookie etc. which is not the case.
We also tried converting the integration with OAUTH2/OIDC but doesn't seem to help
We understand that unlocking a device is a sign in event so have made sure that this is not happening
Question:
Is the sign in frequency supposed to work for non Microsoft apps?
Does this feature work with hybrid AD devices (On prem domain joined, using ADC to sync accounts to AD and integration)?
Does this feature depend on "persistence session"? Dont think if seamless SSO is working prpoperly.
Any example of any other app that this is working properly ?
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
If the authentication takes place in Azure AD, then the sign-in frequency will be honored. If you are using persistent sessions, the session cookies will not expire when the browser is closed.
Users who unlock devices using Windows Hello For Business will not have an additional prompt since Windows Hello For Business includes MFA.
If you provide the correlation ID and timestamp for one of the sign-in entries, I can help troubleshoot why this is not being enforced in your scenario.
Thanks for the reply. We are not using WHB but understand the lock/unlock refresh event.
The specific correlation id is 5bdcdf89-0995-4859-9855-54f97cda3067.
We are to open a case with MSFT too. Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 34%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Do you see the same behaviour with M365 apps? Outlook web f.e.
unfortunately, we don't use any office 365 or Outlook/OWA apps.
Microsoft says the following:
The sign-in frequency setting works with SAML applications as well, as long as they do not drop their own cookies and are redirected back to Azure AD for authentication on regular basis.
So make sure your app meets the requirements. Since you mentioned that it works with Azure portal, my guess would be that the issue is with the app itself and the configuration of it.
thanks. i did mention earlier that we checked these conditions for cookie and reauth. Any ways, thanks for your help.