Configure session behavior in Azure Active Directory B2C

Single sign-on (SSO) session management in Azure Active Directory B2C (Azure AD B2C) enables an administrator to control interaction with a user after the user has already authenticated. For example, the administrator can control whether the selection of identity providers is displayed, or whether account details need to be entered again. This article describes how to configure the SSO settings for Azure AD B2C.

Session behavior properties

You can use the following properties to manage web application sessions:

  • Web app session lifetime (minutes) - The lifetime of Azure AD B2C's session cookie stored on the user's browser upon successful authentication.
    • Default = 1440 minutes.
    • Minimum (inclusive) = 15 minutes.
    • Maximum (inclusive) = 1440 minutes.
  • Web app session timeout - The session expiry type, Rolling, or Absolute.
  • Single sign-on configuration - The session scope of the single sign-on (SSO) behavior across multiple apps and user flows in your Azure AD B2C tenant.

Configure the properties

  1. Sign in to the Azure portal.

  2. Make sure you're using the directory that contains your Azure AD B2C tenant by selecting the Directory + subscription filter in the top menu and choosing the directory that contains your Azure AD B2C tenant.

  3. Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.

  4. Select User flows.

  5. Open the user flow that you previously created.

  6. Select Properties.

  7. Configure Web app session lifetime (minutes), Web app session timeout, Single sign-on configuration, and Require ID Token in logout requests as needed.

    Session behavior property settings in the Azure portal

  8. Click Save.

Configure sign-out behavior

Secure your logout redirect

After logout, the user is redirected to the URI specified in the post_logout_redirect_uri parameter, regardless of the reply URLs that have been specified for the application. However, if a valid id_token_hint is passed and the Require ID Token in logout requests is turned on, Azure AD B2C verifies that the value of post_logout_redirect_uri matches one of the application's configured redirect URIs before performing the redirect. If no matching reply URL was configured for the application, an error message is displayed and the user is not redirected. To require a ID Token in logout requests:

  1. Sign in to the Azure portal.
  2. Make sure you're using the directory that contains your Azure AD B2C tenant by selecting the Directory + subscription filter in the top menu and choosing the directory that contains your Azure AD B2C tenant.
  3. Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
  4. Select User flows.
  5. Open the user flow that you previously created.
  6. Select Properties.
  7. Enable the Require ID Token in logout requests.
  8. Go back to Azure AD B2C.
  9. Select App registrations, and then select your application.
  10. Select Authentication.
  11. In the Logout URL text box, type your post logout redirect URI, and then select Save.

Next steps