Authentication session management capabilities allow you to configure how often your users must provide login credentials and whether they must provide credentials after browsers are closed and reopened, giving you fine-grained controls that can provide more security and flexibility in your environment.
Authentication session management previously only applied to First Factor authentication on devices attached to Azure AD, attached to Azure AD hybrids and registered to Azure AD . There is no easy way for our customers to re-enforce multi-factor authentication (MFA) on these devices. We heard the feedback loud and clear. We have since resolved the issue and authentication session management will now also apply to MFA.
Start
Authentication session management capabilities require a Azure AD Premium P1 subscription. It can easily be configured from the Azure AD portal. First, log in to Azure Portal with a global administrator account. Then, go to Azure AD Conditional Access and then access an existing policy or create a new policy, where you will see the session under access control as shown below:
Setting the connection frequency
The logon frequency defines the period of time before a user is prompted to log on again when attempting to access a resource. You can set the value from 1 hour to 365 days.
Setting up a persistent browser session
This setting allows users to stay logged in after closing and reopening their browser window. Microsoft supports two new settings: always persist or never persist. In both cases, you will make the decision on behalf of your users and they will not see a quick "Stay logged in?" message.
Configuring how often your users must provide login credentials and whether their browser sessions will be persistent is a delicate balance between security and productivity. For most deployments, the defaultAzure AD configuration for session authentication already provides the necessary security while balancing a productive user experience. Please consider whether or not changing the default configuration is necessary for your environment.
If you really need to restrict authentication sessions targeting specific use cases within your organisation, such as data accessed from unmanaged or shared devices, you need to take advantage of any conditional access requirements so that you can now manage the authentication session lifetime based on an asset's sensitivity, user account privilege, authentication strength, device configuration and locations.
We share your challenges, we accompany your changes
If you have a question or a suggestion, we are at your disposal to answer it by email or by phone.