You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/authentication/overview-authentication.md
+50-2Lines changed: 50 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -75,7 +75,7 @@ By default, Azure AD blocks weak passwords such as *Password1*. A global banned
75
75
76
76
To increase security, you can define custom password protection policies. These policies can use filters to block any variation of a password containing a name such as *Contoso* or a location like *London*, for example.
77
77
78
-
For hybrid security, you can integrate Azure AD password protection with an on-premises Active Directory environment. A component installed in the on-prem environment receives the global banned password list and custom password protection policies from Azure AD, and domain controllers use them to process password change events. This hybrid approach makes sure that no matter how or where a user changes their credentials, you enforce the use of strong passwords.
78
+
For hybrid security, you can integrate Azure AD password protection with an on-premises Active Directory environment. A component installed in the on-premises environment receives the global banned password list and custom password protection policies from Azure AD, and domain controllers use them to process password change events. This hybrid approach makes sure that no matter how or where a user changes their credentials, you enforce the use of strong passwords.
79
79
80
80
## Passwordless authentication
81
81
@@ -85,7 +85,55 @@ The end-goal for many environments is to remove the use of passwords as part of
85
85
86
86
When you sign in with a passwordless method, credentials are provided by using methods like biometrics with Windows Hello for Business, or a FIDO2 security key. These authentication methods can't be easily duplicated by an attacker.
87
87
88
-
Azure AD provides ways to natively authenticate using passwordless methods to simplify the sign-in experience for users and reduce the risk of attacks.
88
+
Azure AD provides ways to natively authenticate using passwordless methods to simplify the sign-in experience for users and reduce the risk of attacks.
89
+
90
+
## Web browser cookies
91
+
92
+
When authenticating against Azure Active Directory through a web browser, multiple cookies are involved in the process. Some of the cookies are common on all requests, other cookies are specific to some particular scenarios, i.e., specific authentication flows and/or specific client-side conditions.
93
+
94
+
Persistent session tokens are stored as persistent cookies on the web browser's cookie jar, and non-persistent session tokens are stored as session cookies on the web browser and are destroyed when the browser session is closed.
95
+
96
+
| Cookie Name | Type | Comments |
97
+
|--|--|--|
98
+
| ESTSAUTH | Common | Contains user's session information to facilitate SSO. Transient. |
99
+
| ESTSAUTHPERSISTENT | Common | Contains user's session information to facilitate SSO. Persistent. |
100
+
| ESTSAUTHLIGHT | Common | Contains Session GUID Information. Lite session state cookie used exclusively by client-side JavaScript in order to facilitate OIDC sign-out. Security feature. |
101
+
| SignInStateCookie | Common | Contains list of services accessed to facilitate sign-out. No user information. Security feature. |
102
+
| CCState | Common | Contains session information state to be used between Azure AD and the [Azure AD Backup Authentication Service](/azure/active-directory/conditional-access/resilience-defaults). |
103
+
| buid | Common | Tracks browser related information. Used for service telemetry and protection mechanisms. |
104
+
| fpc | Common | Tracks browser related information. Used for tracking requests and throttling. |
105
+
| esctx | Common | Session context cookie information. For CSRF protection. Binds a request to a specific browser instance so the request can't be replayed outside the browser. No user information. |
106
+
| ch | Common | ProofOfPossessionCookie. Stores the Proof of Possession cookie hash to the user agent. |
107
+
| ESTSSC | Common | Legacy cookie containing session count information no longer used. |
108
+
| ESTSSSOTILES | Common | Tracks session sign-out. When present and not expired, with value "ESTSSSOTILES=1", it will interrupt SSO, for specific SSO authentication model, and will present tiles for user account selection. |
109
+
| AADSSOTILES | Common | Tracks session sign-out. Similar to ESTSSSOTILES but for other specific SSO authentication model. |
| SSOCOOKIEPULLED | Common | Prevents looping on specific scenarios. No user information. |
112
+
| cltm | Common | For telemetry purposes. Tracks AppVersion, ClientFlight and Network type. |
113
+
| brcap | Common | Client-side cookie (set by JavaScript) to validate client/web browser's touch capabilities. |
114
+
| clrc | Common | Client-side cookie (set by JavaScript) to control local cached sessions on the client. |
115
+
| CkTst | Common | Client-side cookie (set by JavaScript). No longer in active use. |
116
+
| wlidperf | Common | Client-side cookie (set by JavaScript) that tracks local time for performance purposes. |
117
+
| x-ms-gateway-slice | Common | Azure AD Gateway cookie used for tracking and load balance purposes. |
118
+
| stsservicecookie | Common | Azure AD Gateway cookie also used for tracking purposes. |
119
+
| x-ms-refreshtokencredential | Specific | Available when [Primary Refresh Token (PRT)](/azure/active-directory/devices/concept-primary-refresh-token) is in use. |
120
+
| estsStateTransient | Specific | Applicable to new session information model only. Transient. |
121
+
| estsStatePersistent | Specific | Same as estsStateTransient, but persistent. |
122
+
| ESTSNCLOGIN | Specific | National Cloud Login related Cookie. |
123
+
| UsGovTraffic | Specific | US Gov Cloud Traffic Cookie. |
124
+
| ESTSWCTXFLOWTOKEN | Specific | Saves flowToken information when redirecting to ADFS. |
125
+
| CcsNtv | Specific | To control when Azure AD Gateway will send requests to [Azure AD Backup Authentication Service](/azure/active-directory/conditional-access/resilience-defaults). Native flows. |
126
+
| CcsWeb | Specific | To control when Azure AD Gateway will send requests to [Azure AD Backup Authentication Service](/azure/active-directory/conditional-access/resilience-defaults). Web flows. |
127
+
| Ccs*| Specific | Cookies with prefix Ccs*, have the same purpose as the ones without prefix, but only apply when [Azure AD Backup Authentication Service](/azure/active-directory/conditional-access/resilience-defaults) is in use. |
128
+
| threxp | Specific | Used for throttling control. |
129
+
| rrc | Specific | Cookie used to identify a recent B2B invitation redemption. |
130
+
| debug | Specific | Cookie used to track if user's browser session is enabled for DebugMode. |
131
+
| MSFPC | Specific | This cookie is not specific to any ESTS flow, but is sometimes present. It applies to all Microsoft Sites (when accepted by users). Identifies unique web browsers visiting Microsoft sites. It's used for advertising, site analytics, and other operational purposes. |
132
+
133
+
> [!NOTE]
134
+
> Cookies identified as client-side cookies are set locally on the client device by JavaScript, hence, will be marked with HttpOnly=false.
135
+
>
136
+
> Cookie definitions and respective names are subject to change at any moment in time according to Azure AD service requirements.
0 commit comments