locked
ADFS 2016 cached session problem RRS feed

  • Question

  • Hi guys, is there anyone have experience about ADFS 2016 cached session?
    My case is, I allow Users able to access to Office 365 from internal network only, and 1 special groups of user can access from internet.
    I did and it worked, just some users can access from internet, every users else just can access from internal network.
    But ADFS has cached session, it makes all users in internal network still can access from internet, if they dont sign out of Office 365.
    Especially with S4B and Outlook, if they bring their laptop from Office network to Home for working, they wont sign out, and then they still can work with Office 365, even they are not allowed (not member of special group)
    Monday, October 28, 2019 3:32 AM

All replies

  • Hiya,

    As far as I know there are no way to control the user cookie/token lifetime on client computers, once this is issued. There is no central way to force all tokens to be revoked, there is no way to force a single token to be revoked. 

    This is general drawback of token based authentication. This also applies to:

    1: If you disable the user access. -> User will still have access until next authentication attempt / token expiration.

    2: If you change any token related security policy. -> Users will still operate under old policy, for as long as your token is valid.

    Note: The above might have changed since the last 6 months, as I have not actively worked with Azure/ADFS + O365 tokens since that period.

    Monday, October 28, 2019 7:35 AM
  • Are your devices Hybrid-Azure AD Joined?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Monday, October 28, 2019 12:29 PM
  • No, just a on-premise domain with ADSync and authentication via ADFS.
    Monday, October 28, 2019 4:27 PM
  • So first, ADFS does not cache anything.

    Then, the client has a session cookie with ADFS which is not persistent unless you pick the KMSI option (Keep me signed In). These cookies are session cookies so they die when you terminate the browser process (and last only 8 hours if you don't).

    Is everything is configured correctly, internal users must have a SSO experience. So even if their session has expired, they get a seamless sign-on automatically when it gets refreshed. 

    That said, modern clients also have a concept of session. Some of that is explained here: https://docs.microsoft.com/en-us/office365/enterprise/session-timeouts

    And all that things works differently if your devices is registered or if it is Hybrid Azure AD joined as you get a PRT then which also does not require the user to go back to ADFS.

    What should matter for data access and storage at rest (which I the case for Outlook clients) isn't so much the location/source of the connection but the level of trust of the device. Is the device compliant, enforcing your security policies (encryption at rest, strong authentication, etc...). The location/source of the connection might also be a concern, if and only if it is an abnormal behavior, or an IP from a known bad actor. And for all this, you have great options in the cloud :) Use an MDM for the level of compliance, use CAP to trigger MFA or even block access and use AAD Identity Protection to automatically block access from known bad location.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, October 29, 2019 1:04 PM