Avatar of compdigit44
 asked on

Windows 2012 R2 ADFS Token Life Times

We currently are using Windows 2012 R2 ADFS servers setup in a farm and federated with Office 365 and supporting 10K users. We are also piloting a third party MFA product and the following question as been asked we need to find out how to define policy where if a session lifetime post initial logon is set to a specific amount of time, say, 8 hours, that the authenticating end-user will not be prompted for 2-factor authentication until the session expires.  The relying party trust (application subject to 2FA under ADFS) is Office365.

From my understanding, the sessin lifetime is a global setting correct? Also I only other way to change ADFS token liftimes is using the new Preview feature in AZure which allows you to do so. Is this correct?
Windows Server 2012Active DirectoryAzure

Avatar of undefined
Last Comment
Vasil Michev (MVP)

8/22/2022 - Mon
Vasil Michev (MVP)

If you are authenticating against O365, the lifetime of the Azure AD token is the most important one. By default they are set to relaxed values, so users should not see too many prompts:

but does ADFS tokens come into play here
Vasil Michev (MVP)

Not as often as you would expect, and that's a good thing. AAD will issue an access and refresh token upon successful authentication (with AD FS included), and as long as the refresh token is valid, it will *never* talk to the AD FS. This is the behavior you should be aiming for, if you want to minimize the number of credential prompts the users see. Only after the AAD refresh token has expired, users will be redirected to the AD FS server.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.

After talking with our PM for this project, they "upper management" want it set so when user access the Office 365 portal, they enter in their user name , pwd and 2FA but will not have to renter in their 2FA passcode or password in Office 365 on the same workstation for up to 10 hours. In ADFS persistence is already enabled and set to 10080 minutes

Global Setting SSo LifeTime = 480
Relay Party Trust = 0 ( default) 60 minutes I believe

Vasil Michev (MVP)

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.