question

NormanJ-8524 avatar image
0 Votes"
NormanJ-8524 asked ShwetaMathur commented

Conditional Access - Sign In Frequency - Periodic reauthentication

Dear community,

our users had to re-authenticate with sign-in frequency active and set to 30 days - and I am trying to understand why. Maybe somebody experienced a similar behaviour.

We have sign-in frequency set to 30 days and it should be rolling 30 days..
But when I checked today I found a new setting "periodic reauthentication" which is active and cannot be deactivated. I am sure it was not there when we initially configured CA.

The info field still says:
"Time period before a user is asked to sign-in again when attempting to access a resource. The default setting is a rolling window of 90 days, i.e. users will be asked to re-authenticate on the first attempt to access a resource after being inactive on their machine for 90 days or longer."

I am thinking about dis-activating "Sign-In Frequency" and using the 90 days rolling windows, to prevent this errors:
"The session has expired or is invalid due to sign-in frequency checks by conditional access."
Browser: Chrome 100.0.4896
Operating System Windows 10
Compliant No
Managed No

or


"The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on {issueDate} and the maximum allowed lifetime for this request is {time}."
Application: Apple Internet Accounts
Operating System Ios
Compliant No
Managed No

Any Ideas?
Thank you!

Regards,
Norman

azure-ad-conditional-access
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

ShwetaMathur avatar image
1 Vote"
ShwetaMathur answered

Hi NormanJ-8524,

Thanks for reaching out.

I understood that users are forced to reauthenticate in the application every 30 days as conditional policy of 30 days has been setup in sign-in frequency as below

197311-image.png

This is the expected behavior for sign-in frequency if periodic reauthentication has been setup 30 days.

As per info, The Azure AD default configuration for user sign-in frequency is a rolling window of 90 days but we can apply sign-in frequency conditional policy to asked the users to sign in again after the period which is define in "Periodic reauthentication".

In case users need to reauthenticate after 90 days, there is no need to set sign in frequency conditional policy as this is default Azure AD behavior.

To disable sign-in frequency to rollout every 30 days, unchecked the "Sign-in frequency" and do not configure any session control.

Hope this will help.

Thanks,
Shweta

Please remember to "Accept Answer" if answer helped you.



image.png (22.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.