![]() User sign-in frequency and device identities Based on customer feedback, sign-in frequency will apply for MFA as well. There was no easy way for our customers to re-enforce multifactor authentication (MFA) on those devices. Sign-in frequency previously applied to only to the first factor authentication on devices that were Azure AD joined, Hybrid Azure AD joined, and Azure AD registered. User sign-in frequency and multifactor authentication The sign-in frequency setting works with third-party SAML applications and apps that have implemented OAuth2 or OIDC protocols, as long as they don't drop their own cookies and are redirected back to Azure AD for authentication on regular basis. Most Microsoft native apps for Windows, Mac, and Mobile including the following web applications comply with the setting. The sign-in frequency setting works with apps that have implemented OAuth2 or OIDC protocols according to the standards. The Azure AD default configuration comes down to “don’t ask users to provide their credentials if security posture of their sessions hasn't changed”. You can also explicitly revoke users’ sessions using PowerShell. Some examples include (but aren't limited to) a password change, an incompliant device, or account disable. ![]() ![]() It might sound alarming to not ask for a user to sign back in, in reality any violation of IT policies will revoke the session. ![]() Asking users for credentials often seems like a sensible thing to do, but it can backfire: users that are trained to enter their credentials without thinking can unintentionally supply them to a malicious credential prompt. The Azure Active Directory (Azure AD) default configuration for user sign-in frequency is a rolling window of 90 days. Sign-in frequency defines the time period before a user is asked to sign in again when attempting to access a resource.
0 Comments
Leave a Reply. |