Windows 2012 R2 ADFS Token Life Times

We currently are using Windows 2012 R2 ADFS servers setup in a farm and federated with Office 365 and supporting 10K users. We are also piloting a third party MFA product and the following question as been asked we need to find out how to define policy where if a session lifetime post initial logon is set to a specific amount of time, say, 8 hours, that the authenticating end-user will not be prompted for 2-factor authentication until the session expires.  The relying party trust (application subject to 2FA under ADFS) is Office365.

From my understanding, the sessin lifetime is a global setting correct? Also I only other way to change ADFS token liftimes is using the new Preview feature in AZure which allows you to do so. Is this correct?
LVL 21
compdigit44Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vasil Michev (MVP)Commented:
If you are authenticating against O365, the lifetime of the Azure AD token is the most important one. By default they are set to relaxed values, so users should not see too many prompts:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-configurable-token-lifetimes/
0
compdigit44Author Commented:
but does ADFS tokens come into play here
0
Vasil Michev (MVP)Commented:
Not as often as you would expect, and that's a good thing. AAD will issue an access and refresh token upon successful authentication (with AD FS included), and as long as the refresh token is valid, it will *never* talk to the AD FS. This is the behavior you should be aiming for, if you want to minimize the number of credential prompts the users see. Only after the AAD refresh token has expired, users will be redirected to the AD FS server.
0
compdigit44Author Commented:
After talking with our PM for this project, they "upper management" want it set so when user access the Office 365 portal, they enter in their user name , pwd and 2FA but will not have to renter in their 2FA passcode or password in Office 365 on the same workstation for up to 10 hours. In ADFS persistence is already enabled and set to 10080 minutes

Global Setting SSo LifeTime = 480
Relay Party Trust = 0 ( default) 60 minutes I believe

Thoughts??
0
Vasil Michev (MVP)Commented:
Again, if O365 is your concern, it's the Azure AD token lifetime that you need to adjust. The default values will ensure that users will not be prompted for credentials unless they go inactive for a long time. So generally speaking you are good to go, no need to change anything. If you need to enforce a smaller token lifetime, you have to use the method described in the article above. I wouldnt recommend it unless absolutely necessary, and you should also be aware that this method will change in the future.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.