Microsoft announced on Friday that that ability to use the “authentication session management capabilities” of the Azure Active Directory Conditional Access service is now at the “generally available” commercial-release stage.
Organizations needing fine control over user access to applications might use these authentication session management capabilities. They can use them to set policies and control how often users need to sign into applications, and whether or not those sign-ins will persist after closing an app, for instance.
The commercial release of this feature comes soon after the preview stage, which was announced earlier this month. In the interval, Microsoft added support for reinforcing multifactor authentication when using authentication session management capabilities, a capability that was previously lacking.
The authentication session management capabilities of the Azure AD Conditional Access service will be replacing a similar feature for controlling access, called the “Configurable Token Lifetimes” capability.
Here’s how Microsoft characterized that feature switch, according to this Configurable Token Lifetimes document:
After hearing from customers during the preview, we’ve implemented authentication session management capabilities in Azure AD Conditional Access. You can use this new feature to configure refresh token lifetimes by setting sign in frequency. After May 30, 2020 no new tenant will be able to use Configurable Token Lifetime policy to configure session and refresh tokens. The deprecation will happen within several months after that, which means that we will stop honoring existing session and refresh tokens polices. You can still configure access token lifetimes after the deprecation.
With the authentication session management capabilities, IT pros can set a time period for when users will be prompted to sign in again, ranging from 1 hour to 365 days. Sessions can be set to persist or to never persist. However, Microsoft advocates using its default configurations in most cases.
“For most deployments, the Azure AD default configuration for authentication session already provides the necessary security while balancing a productive user experience,” stated Alex Simons, corporate vice president of program management for the Microsoft Identity Division, in the announcement.
It’s possible to apply these policies to specific use cases, such as applying conditional access to “unmanaged or shared devices.” Other criteria that could be used in policies include specifying the “sensitivity of a resource, user account privilege, authentication strength, device configuration, location” and more.