Bug: After elapse of Azure AD sign-in frequency in Conditional Access Policy, web application does not ask user to reauthenticate

Question

Repro steps:

1. Download a code sample for Microsoft Identity Platform from here (https://learn.microsoft.com/en-us/azure/active-directory/develop/sample-v2-code). Used "Angular SPA calls Microsoft Graph using Auth Code Flow w/ PKCE"
2. Configure Azure AD Premium App registration with Conditional Access Policy "Sign-in frequency" set to 1 hour. Also disable the "Stay Signed In" Prompt in the AD Tenant.
3. Follow example 1 from here https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime#user-sign-in-frequency-and-device-identities i.e. Leave the website inactive. Do not lock or switch off computer. Go away for more than 1 hour.
4. Click a link on the webpage or refresh the page.
   • Expected result: User is asked to sign in again
   • Actual Result: The Refresh token is used to obtain a new Access token. User is still able to access the application without signing in again. (This can be seen by opening the browser's network tab)

Answer 1

I raised this with the Microsoft MSAL team, and they confirmed there does appear to be an issue in server side AD:
https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/3156

Answer 2

Hi MatthewHolmes-0736,

I'm checking to see if there's anything internally that can cause this as a few customers have reported this.

In the meantime, can you confirm that you have persistent browser session set to "never persistent"? The browser setting on the device may be keeping the users signed in.

Do you have token lifetime policies configured at the same time? Conditional access won't allow you to configure sign in frequency and refresh token lifetime policies at the same time for a given user or app.

I assume you have the right licenses and everything applied since you mentioned following the prerequisites in the document.

Answer 3

Hi @Matthew Holmes

Could you check what your lifetime policies are set as? https://learn.microsoft.com/en-us/azure/active-directory/develop/configure-token-lifetimes as this often is the likely reason for the behaviour you are seeing in the application.

I will assume you are not using CAE-capable clients, which means the default access token lifetime is 1 hour, (do check with the guidance in the link above if this has been altered)

Thirdly, there are some settings such as reautentication prompting and session lifetime that may impact you. I.e. https://learn.microsoft.com/en-us/azure/active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime

My understanding this is a new tenant so I would validate the following tenant settings:

Review your tenant configuration
Now that you understand how different settings works and the recommended configuration, it's time to check your tenants configuration and make changes accordingly:

To configure or review the Remain signed-in option, complete the following steps:

In the Azure AD portal, search for and select Azure Active Directory.
Select Company Branding, then for each locale, choose Show option to remain signed in.
Choose Yes, then select Save.
To remember Multi-factor authentication settings on trusted devices, complete the following steps:

In the Azure AD portal, search for and select Azure Active Directory.
Select Security, then MFA.
Under Configure, select Additional cloud-based MFA settings.
In the Multi-factor authentication service settings page, scroll to remember multi-factor authentication settings. Disable the setting by unchecking the checkbox.
To configure Conditional Access policies for sign-in frequency and persistent browser session, complete the following steps:

In the Azure AD portal, search for and select Azure Active Directory.
Select Security, then Conditional Access.

Ensure the Conditional Access settings and the tenant settings are not impacting your expected behavior.

Hope this helps

Best regards,
Ulv