Azure Active Directory Conditional Access Session Management Policies Now Commercially Available

Microsoft announced on Friday that that ability to use the "authentication session management capabilities" of the Azure Active Directory Conditional Access service is now at the "generally available" commercial-release stage.

Organizations needing fine control over user access to applications might use these authentication session management capabilities. They can use them to set policies and control how often users need to sign into applications, and whether or not those sign-ins will persist after closing an app, for instance.

The commercial release of this feature comes soon after the preview stage, which was announced earlier this month. In the interval, Microsoft added support for reinforcing multifactor authentication when using authentication session management capabilities, a capability that was previously lacking.

The authentication session management capabilities of the Azure AD Conditional Access service will be replacing a similar feature for controlling access, called the "Configurable Token Lifetimes" capability.

Here's how Microsoft characterized that feature switch, according to this Configurable Token Lifetimes document:

After hearing from customers during the preview, we've implemented authentication session management capabilities in Azure AD Conditional Access. You can use this new feature to configure refresh token lifetimes by setting sign in frequency. After May 30, 2020 no new tenant will be able to use Configurable Token Lifetime policy to configure session and refresh tokens. The deprecation will happen within several months after that, which means that we will stop honoring existing session and refresh tokens polices. You can still configure access token lifetimes after the deprecation.

With the authentication session management capabilities, IT pros can set a time period for when users will be prompted to sign in again, ranging from 1 hour to 365 days. Sessions can be set to persist or to never persist. However, Microsoft advocates using its default configurations in most cases.

"For most deployments, the Azure AD default configuration for authentication session already provides the necessary security while balancing a productive user experience," stated Alex Simons, corporate vice president of program management for the Microsoft Identity Division, in the announcement.

It's possible to apply these policies to specific use cases, such as applying conditional access to "unmanaged or shared devices." Other criteria that could be used in policies include specifying the "sensitivity of a resource, user account privilege, authentication strength, device configuration, location" and more.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Spaceflight Training in the Middle of a Pandemic

    Surprisingly, the worldwide COVID-19 lockdown has hardly slowed down the space training process for Brien. In fact, it has accelerated it.

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.