• Article
  • vii minutes to read

Azure Active Directory (Azure Ad) has multiple settings that make up one's mind how often users need to reauthenticate. This reauthentication could be with a first factor such as countersign, FIDO, or passwordless Microsoft Authenticator, or to perform multifactor authentication (MFA). You lot can configure these reauthentication settings as needed for your own environment and the user feel yous desire.

The Azure Advert default configuration for user sign-in frequency is a rolling window of ninety days. Asking users for credentials often seems similar a sensible thing to do, but it can backfire. If users are trained to enter their credentials without thinking, they can unintentionally supply them to a malicious credential prompt.

It might sound alarming to non ask for a user to sign dorsum in, though whatever violation of It policies revokes the session. Some examples include a password change, an incompliant device, or an account disable operation. You tin can also explicitly revoke users' sessions using PowerShell.

This commodity details recommended configurations and how unlike settings piece of work and collaborate with each other.

To give your users the right balance of security and ease of employ by asking them to sign in at the right frequency, nosotros recommend the following configurations:

  • If y'all have Azure AD Premium:
    • Enable single sign-on (SSO) across applications using managed devices or Seamless SSO.
    • If reauthentication is required, employ a Conditional Access sign-in frequency policy.
    • For users that sign in from non-managed devices or mobile device scenarios, persistent browser sessions may not be preferable, or yous might use Conditional Admission to enable persistent browser sessions with sign-in frequency policies. Limit the elapsing to an appropriate time based on the sign-in gamble, where a user with less risk has a longer session elapsing.
  • If you lot have Microsoft 365 apps licenses or the free Azure Advertisement tier:
    • Enable single sign-on (SSO) across applications using managed devices or Seamless SSO.
    • Keep the Remain signed-in pick enabled and guide your users to accept it.
  • For mobile devices scenarios, make sure your users utilise the Microsoft Authenticator app. This app is used equally a broker to other Azure AD federated apps, and reduces authentication prompts on the device.

Our enquiry shows that these settings are right for most tenants. Some combinations of these settings, such every bit Call back MFA and Remain signed-in, tin can result in prompts for your users to cosign also often. Regular reauthentication prompts are bad for user productivity and tin can make them more than vulnerable to attacks.

To optimize the frequency of authentication prompts for your users, you can configure Azure AD session lifetime options. Sympathise the needs of your business and users, and configure settings that provide the best balance for your environment.

Evaluate session lifetime policies

Without any session lifetime settings, in that location are no persistent cookies in the browser session. Every time a user closes and open the browser, they get a prompt for reauthentication. In Office clients, the default fourth dimension flow is a rolling window of xc days. With this default Function configuration, if the user has reset their password or there has been inactivity of over ninety days, the user is required to reauthenticate with all required factors (first and second factor).

A user might see multiple MFA prompts on a device that doesn't have an identity in Azure Advertising. Multiple prompts result when each application has its ain OAuth Refresh Token that isn't shared with other client apps. In this scenario, MFA prompts multiple times every bit each application requests an OAuth Refresh Token to be validated with MFA.

In Azure AD, the well-nigh restrictive policy for session lifetime determines when the user needs to reauthenticate. Consider the following scenario:

  • You enable Remain signed-in, which uses a persistent browser cookie, and
  • You as well enable Call back MFA for fourteen days

In this instance scenario, the user needs to reauthenticate every 14 days. This behavior follows the most restrictive policy, even though the Continue me signed in by itself wouldn't require the user for reauthentication on the browser.

Managed devices

Devices joined to Azure Advertizement using Azure AD Join or Hybrid Azure Advertizing Join receive a Principal Refresh Tokens (PRT) to apply single sign-on (SSO) beyond applications. This PRT lets a user sign in once on the device and allows IT staff to make sure that standards for security and compliance are met. If a user needs to be asked to sign in more oft on a joined device for some apps or scenarios, this can be achieved using Conditional Access Sign-in Frequency.

Show option to remain signed-in

When a user selects Yes on the Stay signed in? option during sign-in, a persistent cookie is set on the browser. This persistent cookie remembers both offset and 2nd factor, and it applies but for authentication requests in the browser.

Screenshot of example prompt to remain signed in

If yous have an Azure AD Premium one license, nosotros recommend using Conditional Access policy for Persistent browser session. This policy overwrites the Stay signed in? setting and provides an improved user experience. If you lot don't have an Azure AD Premium ane license, we recommend enabling the stay signed in setting for your users.

For more than information on configuring the choice to permit users remain signed-in, come across Customize your Azure Advertising sign-in folio.

Remember Multi-Cistron Authentication

This setting lets you configure values between 1-365 days and sets a persistent cookie on the browser when a user selects the Don't enquire again for Ten days option at sign-in.

Screenshot of example prompt to approve a sign-in request

While this setting reduces the number of authentications on web apps, it increases the number of authentications for modernistic authentication clients, such equally Part clients. These clients commonly prompt only after countersign reset or inactivity of ninety days. Still, setting this value to less than 90 days shortens the default MFA prompts for Office clients, and increases reauthentication frequency. When used in combined with Remain signed-in or Provisional Access policies, information technology may increase the number of authentication requests.

If y'all use Call back MFA and accept Azure Advertizement Premium 1 licenses, consider migrating these settings to Conditional Access Sign-in Frequency. Otherwise, consider using Continue me signed in? instead.

More information, see Remember Multi-Factor Hallmark.

Authentication session management with Conditional Access

Sign-in frequency allows the ambassador to choose sign-in frequency that applies for both get-go and second factor in both client and browser. We recommend using these settings, along with using managed devices, in scenarios when yous take a need to restrict hallmark session, such every bit for critical business organisation applications.

Persistent browser session allows users to remain signed in after closing and reopening their browser window. Like to the Remain signed-in setting, it sets a persistent cookie on the browser. However, since it's configured by the admin, it doesn't crave the user select Yes in the Stay signed-in? selection then provides a better user feel. If you use the Remain signed-in? pick, we recommend you enable the Persistent browser session policy instead.

For more information. see Configure authentication session management with Provisional Access.

Configurable token lifetimes

This setting allows configuration of lifetime for token issued past Azure Active Directory. This policy is replaced by Authentication session direction with Conditional Admission. If yous are using Configurable token lifetimes today, we recommend starting the migration to the Conditional Access policies.

Review your tenant configuration

Now that y'all empathize how unlike settings works and the recommended configuration, it's time to bank check your tenants. Y'all tin can start by looking at the sign-in logs to sympathise which session lifetime policies were applied during sign-in.

Under each sign-in log, go to the Authentication Details tab and explore Session Lifetime Policies Practical. For more than information, see Authentication details.

Screenshot of authentication details.

To configure or review the Remain signed-in option, complete the following steps:

  1. In the Azure AD portal, search for and select Azure Active Directory.
  2. Select Visitor Branding, then for each locale, choose Show option to remain signed in.
  3. Cull Yes, then select Salve.

To remember multifactor authentication settings on trusted devices, consummate the following steps:

  1. In the Azure AD portal, search for and select Azure Active Directory.
  2. Select Security, so MFA.
  3. Under Configure, select Boosted cloud-based MFA settings.
  4. In the Multi-gene authentication service settings folio, coil to remember multi-factor hallmark settings. Disable the setting by unchecking the checkbox.

To configure Conditional Admission policies for sign-in frequency and persistent browser session, complete the post-obit steps:

  1. In the Azure AD portal, search for and select Azure Active Directory.
  2. Select Security, and so Conditional Access.
  3. Configure a policy using the recommended session management options detailed in this article.

To review token lifetimes, utilise Azure AD PowerShell to query any Azure Ad policies. Disable any policies that yous take in place.

If more than one setting is enabled in your tenant, nosotros recommend updating your settings based on the licensing bachelor for you. For example, if you have Azure AD premium licenses yous should only use the Conditional Access policy of Sign-in Frequency and Persistent browser session. If you take Microsoft 365 apps or Azure AD free licenses, you should use the Remain signed-in? configuration.

If you have enabled configurable token lifetimes, this capability will be removed soon. Plan a migration to a Conditional Access policy.

The following table summarizes the recommendations based on licenses:

Azure Ad Costless and Microsoft 365 apps Azure AD Premium
SSO Azure Advertizement join or Hybrid Azure AD join, or Seamless SSO for unmanaged devices. Azure Advertisement join
Hybrid Azure AD join
Reauthentication settings Remain signed-in Apply Provisional Admission policies for sign-in frequency and persistent browser session

Next steps

To get started, complete the tutorial to Secure user sign-in events with Azure AD Multi-Factor Authentication or Utilize take a chance detections for user sign-ins to trigger Azure Advert Multi-Gene Hallmark.