1

I would like to configure the custom policy so that

  • A user who has not been active for more than 1 day will be logged out and forced to sign in again.
  • If they continuously use the app then they their session will be able to keep on using the app more many days
  • But after 30 days, even if they've been using the app everyday, they will be forced to log out, and need to login again. Is this possible?

I tried to accomplish this with web session but can't seem to find a way.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#configure-azure-ad-b2c-session-behavior

It might not be 1 day rolling and 30 day upper limit. Maybe it's 1 hour rolling session and 1 day upper limit. So user will need to log in again after 1 hour of idle, or if they keep on using the app, they will need to login again after 24 hours.

davidx1
  • 3,525
  • 9
  • 38
  • 65

2 Answers2

0

The standard refresh token time is 24 hours so that should cover the day of inactivity.

You shouldn't need a rolling session.

Make the web app session timeout "Absolute" which indicates that the user is forced to re-authenticate after the time period specified.

In terms of the forced password reset, look here.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • Sorry, I might've not been very clear in my original question. I'm not asking about forced password rest. What I wanted to know is if you can have a rolling session with an upper bound? Eg. Having the web app session timeout "Rolling" for 1 hours. If they stop using the app for more than 1 hour then they need to log in again. But if they keep using the app every hour for 14 days, the user is logged out and forced to log in again. How would I accomplish this? (I've changed the numbers a bit compared to the original question, but same idea). – davidx1 Oct 03 '21 at 07:35
0

Set the following:

  1. 1hr access token lifetime
  2. 24hr refresh token lifetime, absolute length (fixed 24hrs for SPA apps). Reduce this time below (3) to give higher chance of web session being extended.
  3. 24 hr web session rolling. Only extends when (2) expires but (3) is still valid.

It gets the closest to your requirements.

Jas Suri - MSFT
  • 10,605
  • 2
  • 10
  • 20
  • How do you configure the custom policy so the web session so it is rolling to 30 days? – davidx1 Oct 03 '21 at 03:04
  • https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#configure-azure-ad-b2c-session-behavior. Set SessionExpiryType to Rolling. – Jas Suri - MSFT Oct 03 '21 at 07:39
  • Also https://learn.microsoft.com/en-us/azure/active-directory-b2c/relyingparty#userjourneybehaviors – rbrayb Oct 03 '21 at 07:41
  • 1
    I've read both articles but maybe I'm misreading something... My understanding is that if I set `SessionExpiryType` to `Rolling`, and `SessionExpiryInSeconds ` to 1 day, then the session will time out, after 1 day of inactivity, but if the user uses the app everyday, the session will keep rolling forever. But where do I set the 30 days upper limit? I want it so that the user will be logged out after 1 day of inactivity, but if they stay active and use the app everyday, they will be logged out after 30 days? – davidx1 Oct 03 '21 at 07:50
  • @rbrayb Can you point me to exactly what I need to set to configure a 1 days rolling session AND a 30 day absolute session? It seems like I can only configure it to go one way or the other, and not both :( – davidx1 Oct 03 '21 at 08:15
  • To end the session in 30 days, combine it with this [sample](https://github.com/azure-ad-b2c/samples/tree/master/policies/revoke-sso-sessions). It needs modifying to compare the time in the first login to the current time, and do a [time comparison transformation](https://learn.microsoft.com/en-us/azure/active-directory-b2c/date-transformations#datetimecomparison) instead of comparing to the refreshTokenValidFrom timestamp. – Jas Suri - MSFT Oct 03 '21 at 13:13