Authentication scenarios

To demonstrate how authentication policies and global session policies interact, consider a global session policy that uses Any factor used to meet the Authentication Policy requirements. This global session policy setting offers the most flexibility when configuring authentication policies for each app in your org (for example, passwordless authentication for one app and secure MFA for another). Combining this setting with the following authentication policy settings results in different authentication experiences for end users.

Authentication policy factor settings Prompts for authentication
Password only End user signs in with a password or is federated and is not prompted for a password again until the first of these events occurs:
  • the session expires (global session policy)
  • the Re-authentication frequency point is reached (authentication policy)
Password + possession factor (for each device setting)
  • End user signs in and is not prompted for password again until the session defined in the global session policy expires.
  • End user is not prompted for the possession factor again unless they clear cookies on their device.
Password + possession factor (for each session) End user signs in and is not prompted for a password or authenticator again until the session defined in the global session policy expires.
Password + possession factor (every time) End user signs in and is not prompted for a password or authenticator again until they return to the app authentication page.
Password + possession factor (for each Re-authenticate after setting)
  • End user signs in and is not prompted for a password again until the session defined in the global session policy expires.
  • End user is not prompted for a possession factor again unless they clear cookies on their device or the factor lifetime setting expires and they return to the app authentication page.
Possession factor only (for each Re-authenticate after setting)
  • End user signs in with any enrolled possession factor.
  • End user is not prompted for the possession factor again unless they clear cookies on their device or the factor lifetime setting expires and they return to the app authentication page.