I'm trying to understand how long a session lasts when accessing Office 365 resources, like Exchange Online, from devices that are neither Entra joined nor hybrid joined. I know that Primary Refresh Tokens (PRTs) are typically only available for those kinds of devices, but what about the sign-in sessions? Specifically, if a user logs in using just a username and password, when does the session need to be refreshed, and how does that relate to conditional access policies?
3 Answers
It's worth noting that your view on PRTs may not be entirely spot on. Any capable device can potentially get a PRT, and session policies can apply in various situations. The limitations come into play based on device capability and security settings.
You should consider that conditional access policies are often evaluated continuously, so the session can be affected by what you’re trying to achieve. Depending on those factors, the reauthentication window could change.
For devices that aren’t joined, the default session refresh token lasts about 90 days if there’s no activity. However, be aware that conditional access policies can complicate this and might require users to reauthenticate sooner depending on specific rules set up by the organization.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures