Microsoft's Azure AD Conditional Access Service Can Now Require Reauthentication

Microsoft has added re-authentication support in Azure AD Conditional Access. The company says that it’s one of the top-requested features from customers, who will now be able to configure policies to require authentication by end-users.

Microsoft defines sign-in frequency as the time period before a user is required to log in again when accessing a particular resource. Currently, the user sign-in frequency is set to a “rolling window of 90 days” by default for Azure Active Directory (Azure AD) customers. The new Conditional Access reauthentication policies feature enables IT Admins to change the sign-in frequency of applications that use the OAUTH 2 or OIDC protocols.

It is possible for an organization to require user authentication every time to access an app, but this setting is only appropriate for scenarios like user risk, session risk, and Microsoft Intune device enrollments. Microsoft believes that frequent sign-ins increase the risks of phishing attacks or credential theft and it should only be required for “high-risk scenarios.”

“We’ve gotten a ton of feedback from customers who want extra protection during scenarios where people may have wandered away from their desks, lent their devices to their kids, or if a device became infected with token stealing malware,” said Ricky Pullan, PM for Intelligent Access Team. “With this new capability, you can explicitly re-verify identity, device, and any other Conditional Access conditions for high-risk scenarios.”

Microsoft to add Conditional Access reauthentication policies support for more scenarios

This capability is available for several Office 365 desktop and mobile apps. Additionally, it is supported on Office.com, Exchange Online, the Teams web client, OneDrive and SharePoint, OneNote Online, Dynamics CRM Online, Azure portal, and the Microsoft 365 Admin portal.

Microsoft will continue to listen to feedback about the Conditional Access reauthentication policies while the feature is in public preview. Meanwhile, it is also planning to add support for some new reauthentication scenarios such as PIM elevations and securing VPN access in the coming months.