08-23-2021 01:13 AM
Hi Steve,
in meantime I solved this issue for us.
The root cause why our users weren't asked for credentials was the lifetime of the Azure token lifetime, which is very long in my opinion. (If I remember right, it's about 90 days or so)
With an active token the user isn't asked for new credentials and then it's possible, that a wrong account is selected by the application. This is especially a problem, when the application should be used with another account than the "normal" user account which is used for logging into their client or their standard enterprise applications.
Microsoft don't want the user to get asked for credentials every hour, day, etc. because this could be uncomfortable for a normal user to work with.
There is no chance to modify this token lifetime in Azure so I did a workaround. I created a "Conditional Access Policy" on Azure in my GP application which set's the sign-in frequency to 1 hour. So when a user is logged in to GP and he's disconnected within the first hour, he won't be asked for his credentials and he can re-login. But after 1 hour he is asked for credentials, again.
This work's fine for us till now and our users are automatically asked for new credentials or their account every morning when they start to work because the night over they were disconneced and the single hour their sign-in frequency is valid has expired till then.
You can find a lot of articles how to set up these conditional access policies for sign-in frequency on the internet.
