Hi Steve, in meantime I solved this issue for us. The root cause why our users weren't asked for credentials was the lifetime of the Azure token lifetime, which is very long in my opinion. (If I remember right, it's about 90 days or so) With an active token the user isn't asked for new credentials and then it's possible, that a wrong account is selected by the application. This is especially a problem, when the application should be used with another account than the "normal" user account which is used for logging into their client or their standard enterprise applications. Microsoft don't want the user to get asked for credentials every hour, day, etc. because this could be uncomfortable for a normal user to work with. There is no chance to modify this token lifetime in Azure so I did a workaround. I created a "Conditional Access Policy" on Azure in my GP application which set's the sign-in frequency to 1 hour. So when a user is logged in to GP and he's disconnected within the first hour, he won't be asked for his credentials and he can re-login. But after 1 hour he is asked for credentials, again. This work's fine for us till now and our users are automatically asked for new credentials or their account every morning when they start to work because the night over they were disconneced and the single hour their sign-in frequency is valid has expired till then. You can find a lot of articles how to set up these conditional access policies for sign-in frequency on the internet.
... View more
Hello Community, we´ve configured GP to authenticate via SAML to our Azure AD service so that we can use MFA on GP. GP is only used by IT employees with their "admin" accounts. So far, it seems to work fine how its configured. The only problem we are facing is, that some users are not asked which Microsoft account they want to use in GP when they activate GP. We dont want the "normal" corporate accounts to get used for GP, but on some machines, GP automatically selects their normal accounts when connecting the client and the normal accounts dont have permissions to connect to GP. Is there a way to "force" a account selection when connection to GP or when authenticating to Azure via SAML? What could be the reason why some machines are automatically selecting an account and others are asking which account should be used for GP? Any Azure cookie or token lifetime? Thanks in advance
... View more