Microsoft Previews Conditional Access Reauthentication Policies -- Redmondmag.com

Microsoft Previews Conditional Access Reauthentication Policies

By Kurt Mackie
05/11/2022

Organizations using Microsoft's Azure Active Directory Conditional Access service can set policies to require reauthentications by end users via a newly announced preview capability.

The preview capability is known as "Conditional Access reauthentication policies," which get configured using the Azure Portal. It's not wholly clear why organizations would want to compel periodic reauthentications, but Microsoft appears to have added this capability in response to customer requests. It's needed for "some critical operations," the announcement indicated.

Organizations apparently want the policies to address potential device "lending" and "token-stealing malware," plus cases when users have "wandered away from their desks."

Microsoft's document on the topic, though, suggested that "overprompting users" might not be a good idea:

Over-promoting users for reauthentication can impact their productivity and increase the risk of users approving MFA requests they didn't initiate. We highly recommend using "Sign-in frequency -- every time" only for specific business needs.

Organizations can compel users to sign in "every time," if wanted, but Microsoft suggests only adopting that approach in a few cases. The examples included Microsoft Intune device enrollments, and cases where there are risky users or risky sign-ins.

The risk of overprompting users is that they could be lulled into supplying their credentials to "a malicious credential prompt," the document explained.

Microsoft's default configuration with the Azure Active Directory identity and access management service is a user sign-in frequency over "a rolling window of 90 days," according to the document.

With the preview, it's possible to change the frequency of sign-ins for applications if they use the OAUTH 2 or OIDC protocols. The Conditional Access reauthentication policies will work across the following apps, per the document:

Word, Excel, PowerPoint Online
OneNote Online
Office.com
Microsoft 365 Admin portal
Exchange Online
SharePoint and OneDrive
Teams web client
Dynamics CRM Online
Azure portal

The Conditional Access reauthentication policies also will work with SAML applications "as long as they don't drop their own cookies and are redirected back to Azure AD for authentication on regular basis," the document explained.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Multi-Tenant Organization Hooks Released for Microsoft 365

Microsoft Entra ID's new multi-tenant organization capabilities have reached general availability (GA).
Real-World Ransomware Recovery

Here's how I was (mostly) successful in recovering a family PC infected with malware.
Microsoft Launches Small AI Models Family Phi-3

Recognizing that bigger isn't always better, Microsoft has released its smallest open AI models to date, Phi-3.
Microsoft and OpenAI Continue Global AI Expansions

Microsoft and OpenAI each continued their global expansion this month, with the announcements of new infrastructure investments and service rollouts in new regions, like Asia and the Middle East.
Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.