Authentication scenarios
To understand how policies interact, consider a global session policy that uses Any factor used to meet the Authentication Policy requirements. It defines the length of a session but lets you set different access requirements for each app. This table shows how frequently users have to authenticate when that global session policy is combined with the different authentication policy settings.
| Authentication policy factor settings | Prompts for authentication |
|---|---|
| Password only |
The user signs in with a password or is federated. They're prompted for a password again when the first of these events occurs:
|
| Password + possession factor (for each device setting) |
The user signs in. They're prompted for a password again when the session defined in the global session policy expires. They're prompted for a possession factor only if they clear the cookies on their device. |
| Password + possession factor (for each session) |
The user signs in. They're prompted for a password or an authenticator again when the session defined in the global session policy expires. |
| Password + possession factor (every time) |
The user signs in. They're prompted for a password or an authenticator again if they return to the app authentication page. |
| Password + possession factor (for each Re-authenticate after setting) |
The user signs in. They're prompted for a password again when the session defined in the global session policy expires. They're prompted for the possession factor again if they clear the cookies on their device, or if they return to the app authentication page after the factor lifetime expires. |
| Possession factor only (for each Re-authenticate after setting) |
The user signs in with any enrolled possession factor. They're prompted for the possession factor again if they clear the cookies on their device, or if they return to the app authentication page after the factor lifetime expires. |