I am developing a java web application(say demoApp ) to have Azure AD sign in using Auth grant flow. Using User sign-in frequency I have configured AD session to 1 hour . Now I have two sessions demoApp session and Azure AD session . My Question is: How would demoApp understand if AD Session is expired. Should my demoApp need to poll AD periodically to check if AD session timed out, so I can force user to logout of demoApp and re-authenticate or any other approach.

@9982c2a9-df9e-49ee-8db8-68420607ec20 After 1 hour, the DemoApp will reject access token with 401 unauthorized error. So your code needs to handle the refresh of the access token. At refresh of access token/ session cookie, login.microsoftonline.com can reject refresh token/session cookie with error: prompt required - handle that error and initiate a prompt for authentication. MSAL (Microsoft Authentication Library) does this out of the box. 3rd party libraries need exception handling. Please do not forget to " Accept the answer " wherever the information provided helps you. This will help others in the community as well.

Auto logout Application when AD Session ends

Prabhakar.Billingi 66

I am developing a java web application(say demoApp) to have Azure AD sign in using Auth grant flow. Using User sign-in frequency I have configured AD session to 1 hour. Now I have two sessions demoApp session and Azure AD session.

My Question is:

How would demoApp understand if AD Session is expired.
Should my demoApp need to poll AD periodically to check if AD session timed out, so I can force user to logout of demoApp and re-authenticate or any other approach.

1 answer

AmanpreetSingh-MSFT 56,561 Reputation points

2020-07-10T10:37:42.75+00:00

@9982c2a9-df9e-49ee-8db8-68420607ec20

After 1 hour, the DemoApp will reject access token with 401 unauthorized error. So your code needs to handle the refresh of the access token. At refresh of access token/ session cookie, login.microsoftonline.com can reject refresh token/session cookie with error: prompt required - handle that error and initiate a prompt for authentication. MSAL (Microsoft Authentication Library) does this out of the box. 3rd party libraries need exception handling.

Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.
Please sign in to rate this answer.
Prabhakar.Billingi 66 Reputation points

2020-07-12T02:42:16.087+00:00

@amanpreetsingh-msft As part of MSAL library when Access token expires( after 1 hour) it myapp invokes app.acquireTokenSilently(parameters)[which internally invokes https://login.microsoftonline.com/common/oauth2/v2.0/token with refresh_token param] to refresh the token and I am to able get a new Access token and it is not failing with error (prompt required)

Am I doing something wrong here ?

AmanpreetSingh-MSFT 56,561 Reputation points

2020-07-13T07:52:51.47+00:00

@PrabhakarBillingi-9819 I don't see anything wrong here. Could you please verify if the Conditional Access Policy is getting applied? You can check sign-in activity of the user to check that. Make sure the user and application are in scope of the Policy.

Prabhakar.Billingi 66 Reputation points

2020-07-14T06:07:18.837+00:00

Hi @amanpreetsingh-msft , Below is the details of Organization policy we created in the portal.

Users and groups---> We selected All users

Cloud apps and actions---> All Cloud Apps

Conditions--->Client Apps---> Browser

How we can get lifetime of refresh token

AmanpreetSingh-MSFT 56,561 Reputation points

2020-07-14T15:20:36.8+00:00

PrabhakarBillingi-9819 The refresh tokens are not in JWT format and cannot be decoded. You can try to redeem the refresh token after 1 hr to get new access token via postman to see if the refresh token is valid for more than 1hr. However, with the Sign-in Frequency setting, the error would be thrown by Azure Authentication Endpoint even if the refresh token/ Session Cookie (for browser session) is valid. Have you checked the Sign-in logs to confirm if the policy is getting applied successfully?

Prabhakar.Billingi 66 Reputation points

2020-07-15T06:36:07.93+00:00

Hi @amanpreetsingh-msft ,Thank you

We have followed the procedure given by and observed that we are getting the access token (using refresh token) after 1 hour(We set sign in frequency as 1 hour).
More info: we check the logs in Sign-in and found that policy is getting applied successfully.
Please refer the attached screenshot.

Using Postman we hit the request token URL after 1 hour:
URL :POST https://login.microsoftonline.com/common/oauth2/token
Parameters:

client_id=xxxx-xxxx-xxxx

client_secret=xxxx-xxxx-xxxx

grant_type:refresh_token

scope=xxxx

refresh_token=xxxxxxxxxxxxxx

AmanpreetSingh-MSFT 56,561 Reputation points

2020-07-15T08:01:08.09+00:00

@Prabhakar.Billingi Please share the correlation ID from the Sign-in activity log and I'll try to find the issue in our backend logs.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Auto logout Application when AD Session ends

1 answer

Your answer