Windows 2012 R2 ADFS Token Life Times

compdigit44
compdigit44 used Ask the Experts™
on
We currently are using Windows 2012 R2 ADFS servers setup in a farm and federated with Office 365 and supporting 10K users. We are also piloting a third party MFA product and the following question as been asked we need to find out how to define policy where if a session lifetime post initial logon is set to a specific amount of time, say, 8 hours, that the authenticating end-user will not be prompted for 2-factor authentication until the session expires.  The relying party trust (application subject to 2FA under ADFS) is Office365.

From my understanding, the sessin lifetime is a global setting correct? Also I only other way to change ADFS token liftimes is using the new Preview feature in AZure which allows you to do so. Is this correct?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2015
Distinguished Expert 2018

Commented:
If you are authenticating against O365, the lifetime of the Azure AD token is the most important one. By default they are set to relaxed values, so users should not see too many prompts:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-configurable-token-lifetimes/

Author

Commented:
but does ADFS tokens come into play here
Most Valuable Expert 2015
Distinguished Expert 2018

Commented:
Not as often as you would expect, and that's a good thing. AAD will issue an access and refresh token upon successful authentication (with AD FS included), and as long as the refresh token is valid, it will *never* talk to the AD FS. This is the behavior you should be aiming for, if you want to minimize the number of credential prompts the users see. Only after the AAD refresh token has expired, users will be redirected to the AD FS server.

Author

Commented:
After talking with our PM for this project, they "upper management" want it set so when user access the Office 365 portal, they enter in their user name , pwd and 2FA but will not have to renter in their 2FA passcode or password in Office 365 on the same workstation for up to 10 hours. In ADFS persistence is already enabled and set to 10080 minutes

Global Setting SSo LifeTime = 480
Relay Party Trust = 0 ( default) 60 minutes I believe

Thoughts??
Most Valuable Expert 2015
Distinguished Expert 2018
Commented:
Again, if O365 is your concern, it's the Azure AD token lifetime that you need to adjust. The default values will ensure that users will not be prompted for credentials unless they go inactive for a long time. So generally speaking you are good to go, no need to change anything. If you need to enforce a smaller token lifetime, you have to use the method described in the article above. I wouldnt recommend it unless absolutely necessary, and you should also be aware that this method will change in the future.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial