Assumptions:
Conditional Access Policies (CA) do not have sessions properties listed below enabled:
- Sign-in frequency policy: Sign-in frequency controls the lifetime of the refresh token
- Persistent browser session: Persistent session allows the browser to store the refresh token. (Which is usually kept in memory only), so it can be reused after you close/reopen all browser windows.
- Customize continuous access evaluation (CAE): CAE enables the scenario where users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event.
Since we do not to use CA to manage sign-in frequency, refresh and session tokens will be set to the default configuration with no option to change their lifetimes.
| Property | Policy property string | Affects | Default |
| Refresh Token Max Inactive Time | MaxInactiveTime | Refresh tokens | 90 days |
| Single-Factor Refresh Token Max Age | MaxAgeSingleFactor | Refresh tokens (for any users) | Until-revoked |
| Multi-Factor Refresh Token Max Age | MaxAgeMultiFactor | Refresh tokens (for any users) | Until-revoked |
| Single-Factor Session Token Max Age | MaxAgeSessionSingleFactor | Session tokens (persistent and nonpersistent) | Until-revoked |
| Multi-Factor Session Token Max Age | MaxAgeSessionMultiFactor | Session tokens (persistent and nonpersistent) | Until-revoked |
Terms:
Primary Refresh Token (PRT) is a Microsoft-invented token that contains both Access tokens and Refresh tokens On Azure AD joined, and hybrid Azure AD joined devices, unlocking the device, or signing in interactively will refresh the PRT every 4 hours. PRT is obtained upon initial sign-in and is needed for SSO.
- Valid for 14 days default and is continuously renewed so long as the user actively uses the device. When a user unlocks their device or signs in interactively, this event will generate a new PRT.
- New PRT requires line of sight to a DC for a Kerberos full network logon which also triggers the Azure AD logon. Device will need to be on corporate network at least once every 14 days.
Access Token authenticates to a protected resource. Access tokens have a limited lifetime of an hour. A refresh token is received when an access token is acquired. The access tokens cannot be revoked.
Refresh Token is used to renew an access / refresh token (pair) and initiates a re-evaluates of policies for user to continue to access a protected resource(s). Refresh tokens are valid for an hour, when expired the office client will present the refresh token to AAD to retrieve a new access token / refresh token pair to continue access.
- Valid for 14 days (default lifetime) and validity of 90 days (sliding) and is continuously renewed so long as the user actively uses the device. *CA can force users to sign-in again even if refresh token is valid, however no CA is enabled to enforce a refresh*
Scenario:
Pre-requisite: A registered (domain-joined) device (desktop, laptop) with a valid PRT or Intune enrolled mobile is needed for a user to sign in to access office 365 resources. CA policy (device-based policy) requires access to Office 365 is initiated through our company network or remotely via connected using VPN.
Foundation:
When user sign into an office application, the user authenticates against AAD, where a pair of tokens (access-token and refresh token) will be issued after successful authentication.
Access (access-token) is valid for 1 hour (by default) and the issued refresh token is valid for up to 90 days. If this refresh token is used constantly, the refresh token’s life will be prolonged (up to 90 days) each time a new request is made to AAD to fetch a new access token. AAD will issue a new pair of tokens (access-tokens and refresh-tokens) upon refresh.
If using a mobile device (Outlook for iOS or Android) the access token is valid for 1 hour (by default) and the issued refresh is valid for 90 days. The old refresh token is discarded and the newly issued refresh-token for the next request with access-token to access the resource.
If user logs in only once and remain active for 30 minutes and then closes the app.
If the user never comes back to access this application ever, the session will no longer be active, the refresh token will still be valid (inactive), the access token (1 hour limit) is not renewed.
Refresh token has a window of 14 days and waits for the user to access to the app so that the refresh-token can get renewed along with a new access-token. Now the refresh token will increase from 14 days (inactive) until it reaches 90 days. Once it reaches the 90th day, the refresh token gets invalidated.
After the 90th day, the user would be asked to enter the credentials and a new pair of access-token and refresh-token would be issued after successful auth of the user.
If user logs in and remain active and or closes VPN / off corporate network.
If the user continues to access the application, the session will remain active, the refresh token will continue to renew the access token and grant access to the protected resource.
the application will attempt to use the valid refresh token (inactive) to renew after the access token (1 hour limit) has expired if the user signs off, shuts down the computer, restarts the computer after several hours and attempt access again, the application will attempt to use the valid refresh token (inactive) to renew after the access token (1 hour limit) has expired.
After 14 days, PRT will expire, and access is no longer granted. The device-based CA policy prevents access without a valid PRT, and the device will be considered unregistered (not domain joined).
