How to limit azcli session lifetime at the tenant level?

MT 156 Reputation points
2024-07-03T02:27:53.0166667+00:00

As per subject I would like to "az login" session to expire after say 8h. How can I set it up at the tenant level?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,358 questions
0 comments
Accepted answer
  1. Raja Pothuraju 1,275 Reputation points Microsoft Vendor
    2024-07-04T15:56:04.33+00:00

    Hello @MT,

    Thank you for posting your query on Microsoft Q&A.

    You can't directly target Microsoft Azure CLI via conditional access policy because it is not available in the cloud app picker list to target directly. This is due to its dependencies on other resource applications.

    If you would like to target Microsoft Azure CLI, you need to target the resource application of Microsoft Azure CLI, which is the Windows Azure Service Management API. When you target the Windows Azure Service Management API application, the policy is enforced for tokens issued to a set of services dependent on this Azure management portal and API, services, or clients. Please refer to the following document for the list of applications that have this dependency:

    Windows Azure Service Management API - Conditional Access

    According to the document below, Cloud Shell sessions have a time limit of 20 minutes. As a result, any long-running non-interactive sessions are ended without warning:

    Cloud Shell FAQ and Troubleshooting

    Given the 20-minute time limitation for Cloud Shell sessions, it may not be necessary to have a conditional access policy with a sign-in frequency of 8 hours.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    Please Accept the answer if the information helped you. This will help us and others in the community as well. Thanks,
    Raja Pothuraju.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Nikit Patiyawala 0 Reputation points
    2024-07-03T05:53:42.86+00:00

    Hi,

    Conditional Access policy will help you in this case please configure with below steps.

    1. Sign in to the Microsoft Entra admin center using your administrator account.
    2. Navigate to Conditional Access: Go to Protection > Conditional Access > Policies.
    3. Create a New Policy: Click on New policy and give it a meaningful name.
    4. Configure Conditions: Choose the conditions for your policy, such as targeting specific users or applications.
    5. Set Sign-In Frequency:
      • Under Access controls > Session, select Sign-in frequency.
      • Choose Periodic reauthentication and enter a value in hours or days, or select Every time.
    6. Save the Policy.