Conditional Access - Sign In Frequency - Periodic reauthentication

Norman 26 Reputation points
2022-04-26T14:37:04.453+00:00

Dear community,

our users had to re-authenticate with sign-in frequency active and set to 30 days - and I am trying to understand why. Maybe somebody experienced a similar behaviour.

We have sign-in frequency set to 30 days and it should be rolling 30 days..
But when I checked today I found a new setting "periodic reauthentication" which is active and cannot be deactivated. I am sure it was not there when we initially configured CA.

The info field still says:
"Time period before a user is asked to sign-in again when attempting to access a resource. The default setting is a rolling window of 90 days, i.e. users will be asked to re-authenticate on the first attempt to access a resource after being inactive on their machine for 90 days or longer."

I am thinking about dis-activating "Sign-In Frequency" and using the 90 days rolling windows, to prevent this errors:
"The session has expired or is invalid due to sign-in frequency checks by conditional access."
Browser: Chrome 100.0.4896
Operating System Windows 10
Compliant No
Managed No

or

"The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on {issueDate} and the maximum allowed lifetime for this request is {time}."
Application: Apple Internet Accounts
Operating System Ios
Compliant No
Managed No

Any Ideas?
Thank you!

Regards,
Norman

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,367 questions
Accepted answer
  1. Shweta Mathur 27,141 Reputation points Microsoft Employee
    2022-04-28T08:27:15.293+00:00

    Hi NormanJ-8524,

    Thanks for reaching out.

    I understood that users are forced to reauthenticate in the application every 30 days as conditional policy of 30 days has been setup in sign-in frequency as below

    197311-image.png

    This is the expected behavior for sign-in frequency if periodic reauthentication has been setup 30 days.

    As per info, The Azure AD default configuration for user sign-in frequency is a rolling window of 90 days but we can apply sign-in frequency conditional policy to asked the users to sign in again after the period which is define in "Periodic reauthentication".

    In case users need to reauthenticate after 90 days, there is no need to set sign in frequency conditional policy as this is default Azure AD behavior.

    To disable sign-in frequency to rollout every 30 days, unchecked the "Sign-in frequency" and do not configure any session control.

    Hope this will help.

    Thanks,
    Shweta

    Please remember to "Accept Answer" if answer helped you.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest