Microsoft Previews Conditional Access Reauthentication Policies
Organizations using Microsoft's Azure Active Directory Conditional Access service can set policies to require reauthentications by end users via a newly announced preview capability.
The preview capability is known as "Conditional Access reauthentication policies," which get configured using the Azure Portal. It's not wholly clear why organizations would want to compel periodic reauthentications, but Microsoft appears to have added this capability in response to customer requests. It's needed for "some critical operations," the announcement indicated.
Organizations apparently want the policies to address potential device "lending" and "token-stealing malware," plus cases when users have "wandered away from their desks."
Microsoft's document on the topic, though, suggested that "overprompting users" might not be a good idea:
Over-promoting users for reauthentication can impact their productivity and increase the risk of users approving MFA requests they didn't initiate. We highly recommend using "Sign-in frequency -- every time" only for specific business needs.
Organizations can compel users to sign in "every time," if wanted, but Microsoft suggests only adopting that approach in a few cases. The examples included Microsoft Intune device enrollments, and cases where there are risky users or risky sign-ins.
The risk of overprompting users is that they could be lulled into supplying their credentials to "a malicious credential prompt," the document explained.
Microsoft's default configuration with the Azure Active Directory identity and access management service is a user sign-in frequency over "a rolling window of 90 days," according to the document.
With the preview, it's possible to change the frequency of sign-ins for applications if they use the OAUTH 2 or OIDC protocols. The Conditional Access reauthentication policies will work across the following apps, per the document:
- Word, Excel, PowerPoint Online
- OneNote Online
- Microsoft 365 Admin portal
- Exchange Online
- SharePoint and OneDrive
- Teams web client
- Dynamics CRM Online
- Azure portal
The Conditional Access reauthentication policies also will work with SAML applications "as long as they don't drop their own cookies and are redirected back to Azure AD for authentication on regular basis," the document explained.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.