Authentication scenarios
To understand how policies interact, consider a global session policy that uses Any factor used to meet the Authentication Policy requirements and that has Persist session cookies across browser sessions enabled. The policy defines the length of a session but lets you set different access requirements for each app. This table shows how frequently users have to authenticate when that global session policy is combined with the different authentication policy settings.
| Authentication policy factor settings | Prompts for authentication |
|---|---|
| Password only |
The user signs in with a password or is federated. They're prompted for a password again when the first of these events occurs:
|
| Possession factor only (for each Reauthenticate after setting) |
The user signs in with any enrolled possession factor. They're prompted for the possession factor again if they clear the cookies on their device, or if they return to the app authentication page after the factor lifetime expires. |
| Password + Another factor (for each device setting) |
The user signs in. They're prompted for a password again when the session defined in the global session policy expires. They're prompted for another factor only if they clear the cookies on their device. |
| Password + Another factor (for each session) |
The user signs in. They're prompted for a password or an authenticator again when the session defined in the global session policy expires. |
| Password + Another factor (every time) |
The user signs in. They're prompted for a password or an authenticator again if they return to the app authentication page. |
| Password + Another factor (for each Reauthenticate after setting) |
The user signs in. They're prompted for a password again when the session defined in the global session policy expires. They're prompted for another factor again if they clear the cookies on their device, or if they return to the app authentication page after the factor lifetime expires. |