Multi-Factor Authentication - Conditional Access Policies

As part of the security update for using web clients and applications at Oxford University, the Keep Me Signed In (KMSI) option will be switched off on 10 November. This will be replaced by a conditional access policy (CAP). Keep Me Signed In is the option you sometimes see when accessing an application which asks if you want to remain signed in. You then have the option to say yes or no. This will no longer be available.

Following that change, how often you are required to log in will depend on which services you are accessing and what networks you are using.

What is a conditional access policy

A conditional access policy is a decision led process which enforces organisational policies. Essentially, if a user wants to access a resource then they must complete an action. For example, a person wants to access Nexus365 services to read their email and is required to enter multi-factor authentication to access it.

The video on this Microsoft page explains "What is Conditional Access?"

Current network client vs legacy network client

For the purposes of Conditional Access Policies following the KMSI being switched off, there are two types of authentification methods:

  1. Modern Authentication - a modern method used by browsers and more up-to-date versions of applications e.g. Outlook 2016/365. This method is sometimes referred to as “OAuth2”
  2. Legacy or Basic authentication - an older authentication method using username/passwords and in use by older clients and those that aren’t capable of Modern Authentication e.g. Outlook 2013

User Scenarios

The following table explains how long your session will last before you are asked to authenticate again, and the methods available. This depends on what service you are accessing, and whether you are using a modern or legacy client.

In all cases, you may be asked to re-authenticate (with MFA where applicable) in a timeframe shorter than the session lifetimes stated. One example of when this may occur is where the user has changed location or IP address – please note that this is a built-in feature of the Azure platform, and one that Microsoft does not fully divulge the behaviour of (for security reasons).

Overall, sessions will last at least 90 days, except when you are accessing web-based services, including web-based Office365 and Shibboleth-protected resources such as CoSy, TeamSeer or Clarity, in which case your session will last between 10 and 11 hours.

What are you accessing? Are you using Modern or Basic Authentication? With MFA? How long will my session last?
Office365 on mobile or desktop app, for example Outlook or Teams client, see note 1 Modern Yes or no At least 90 days
Office365 on mobile or desktop app, for example Outlook 2013 and older mail clients Basic (legacy) No At least 90 days
Office365 on mobile or desktop app, for example Outlook 2013 and older mail clients Basic (legacy) Yes see note 2

Web-based access, for example Office 365 and Shibboleth-protected resources

Modern only, see note 3 Yes or no Up to 11 hours
Office365 via ActiveSync client Basic (legacy) No At least 90 days
Office365 via ActiveSync client Basic (legacy) Yes See note 4
Office365 via ActiveSync client Basic (legacy) Yes or no At least 90 days, see note 5

 

Note 1: Teams on Linux is recognised as a web browser by Microsoft and therefore behaves as per web browser based session lengths.

Note 2: Access for legacy clients, such as IMAP clients, via basic authentication is not permitted for users with MFA enabled via the Conditional Access Policies. In many modern mail clients, it may be possible to re-configure to use Modern Authentication. Otherwise, an app password is required.

Note 3: All browser-based access for SSO protected resources uses Modern Authentication in browser.

Note 4: Access for ActiveSync clients using basic authentication is not permitted for users with MFA enabled via the Conditional Access Policies. An app password is required.

Note 5: Access for ActiveSync clients that can use Modern authentication is permitted, but these clients may not be widely available.