You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/howto-conditional-access-session-lifetime.md
+23-10Lines changed: 23 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -58,27 +58,40 @@ Sign-in frequency previously applied to only to the first factor authentication
58
58
59
59
### User sign-in frequency and device identities
60
60
61
-
On Azure AD joined, hybrid Azure AD joined, or Azure AD registered devices, unlocking the device or signing in interactively will satisfy the sign-in frequency policy. In the following two examples user sign-in frequency is set to 1 hour:
61
+
On Azure AD joined and hybrid Azure AD joineddevices, unlocking the device, or signing in interactively will only refresh the Primary Refresh Token (PRT) every 4 hours. The last refresh timestamp recorded for PRT compared with the current timestamp must be within the time allotted in SIF policy for PRT to satisfy SIF and grant access to a PRT that has an existing MFA claim. On [Azure AD registered devices](https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-register), unlock/sign-in would not satisfy the SIF policy because the user is not accessing an Azure AD registered device via an Azure AD account. However, the [Azure AD](https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-acquire-token-wam) WAM plugin can refresh a PRT during native application authentication using WAM.
62
62
63
-
Example 1:
63
+
Note: The timestamp captured from user log-in is not necessarily the same as the last recorded timestamp of PRT refresh because of the 4-hour refresh cycle. The case when it is the same is when a PRT has expired and a user log-in refreshes it for 4 hours. In the following examples, assume SIF policy is set to 1 hour and PRT is refreshed at 00:00.
64
+
65
+
Example 1: *when you continue to work on the same doc in SPO for an hour*
64
66
65
67
- At 00:00, a user signs in to their Windows 10 Azure AD joined device and starts work on a document stored on SharePoint Online.
66
68
- The user continues working on the same document on their device for an hour.
67
69
- At 01:00, the user is prompted to sign in again based on the sign-in frequency requirement in the Conditional Access policy configured by their administrator.
68
70
69
-
Example 2:
71
+
Example 2:*when pausing work with a background task running in the browser, then interacting again after the SIF policy time has passed*
70
72
71
-
- At 00:00, a user signs in to their Windows 10 Azure AD joined device and starts work on a document stored on SharePoint Online.
73
+
- At 00:00, a user signs in to their Windows 10 Azure AD joined device and starts to upload a document to SharePoint Online.
74
+
- At 00:10, the user gets up and takes a break locking their device. The background upload continues to SharePoint Online.
75
+
- At 02:45, the user returns from their break and unlocks the device. The background upload shows completion.
76
+
- At 02:45, the user is prompted to sign in when they interact again based on the sign-in frequency requirement in the Conditional Access policy configured by their administrator since the last sign-in happened at 00:00.
77
+
78
+
If the client app (under activity details) is a Browser, we defer sign in frequency enforcement of events/policies on background services until the next user interaction.
79
+
80
+
Example 3: *with 4-hour refresh cycle of primary refresh token from unlock*
81
+
82
+
Scenario 1 - User returns within cycle
83
+
84
+
- At 00:00, a user signs into their Windows 10 Azure AD joined device and starts work on a document stored on SharePoint Online.
72
85
- At 00:30, the user gets up and takes a break locking their device.
73
86
- At 00:45, the user returns from their break and unlocks the device.
74
-
- At 01:45, the user is prompted to sign in again based on the sign-in frequency requirement in the Conditional Access policy configured by their administrator since the last sign-in happened at 00:45.
87
+
- At 01:00, the user is prompted to sign in again based on the sign-in frequency requirement in the Conditional Access policy configured by their administrator, 1 hour after the initial sign-in.
75
88
76
-
Example 3: If the client app (under activity details) is a Browser, we defer sign in frequency enforcement of events/policies on background services until the next user interaction.
89
+
Scenario 2 - User returns outside cycle
77
90
78
-
- At 00:00, a user signs in to their Windows 10 Azure AD joined device and starts to upload a document to SharePoint Online.
79
-
- At 00:10, the user gets up and takes a break locking their device. The background upload continues to SharePoint Online.
80
-
- At 02:45, the user returns from their break and unlocks the device. The background upload shows completion.
81
-
- At 02:45, the user is prompted to sign in when they interact again based on the sign-in frequency requirement in the Conditional Access policy configured by their administrator since the last sign-in happened at 00:00.
91
+
- At 00:00, a user signs into their Windows 10 Azure AD joined device and starts work on a document stored on SharePoint Online.
92
+
- At 00:30, the user gets up and takes a break locking their device.
93
+
- At 04:45, the user returns from their break and unlocks the device.
94
+
- At 05:45, the user is prompted to sign in again based on the sign-in frequency requirement in the Conditional Access policy configured by their administrator, 1 hour after the PRT was refreshed at 04:45 (over 4hrs after the initial sign-in at 00:00).
0 commit comments