To demonstrate how authentication policies and Global Session Policies interact, consider a Global Session Policy that uses Password / IDP / any factor allowed by app sign on rules. This Global Session Policy setting offers the most flexibility when configuring authentication policies for each app in your org (for example, passwordless authentication for one app and secure MFA for another). Combining this setting with the following authentication policy settings results in different authentication experiences for end users.
|Authentication policy factor settings||Prompts for authentication|
End user signs in with a password or is federated and is not prompted for a password again until the first of these events occurs:
|Password + possession factor (for each device setting)||
|Password + possession factor (for each session)||End user signs in and is not prompted for a password or authenticator again until the session defined in the Global Session Policy expires.|
|Password + possession factor (every time)||End user signs in and is not prompted for a password or authenticator again until they return to the app authentication page.|
|Password + possession factor (for each Re-authenticate after setting)||
|Possession factor only (for each Re-authenticate after setting)||