2 new settings have been introduced for the Session Control in Azure AD Conditional Access:
- Sign-in frequency: defines the time period before a user is asked to sign-in again when attempting to access a resource. This means that if the security posture of the authentication session has not changed, users will be asked to re-authenticate on the first attempt to access a resource after being inactive on their machine for 90 days or longer. This does not over pass any policy in place – which means if the device is no longer compliant or the user password has expired/been changed, the user will be requested for authentication. This policy really applies only if the security posture of the device/user has not changed. This option will work with OAuth2 or OIDC applications. Office.com, Dynamics, Teams, Azure portal honor Sign in frequency setting. SharePoint Online, Outlook on the Web (OWA) and Office 365 portal are deploying new compliant versions soon
- Persistent browser session: allows users to remain signed in after closing and reopening their browser window. This is basically overwriting the “Keep me sign in” option you see when authenticating against Azure AD. This settings allows you to overwrite (either Always persistent – will save the cookie – or Never persistent – will require to authenticate each time). This work if you have selected All Cloud Apps in the Cloud Apps blade
If you use AD FS and have configured persistence, Azure AD will comply with the AD FS persistence setting (see https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-single-sign-on-settings#enable-psso-for-office-365-users-to-access-sharepoint-online)