Security Policy and Active Sessions

Permission: users.manage

Purpose

App routes: /admin/policies, /admin/sessions

Prerequisites and data sources

Tabs and actions

Freshness and scope behavior

Workflow overview

Safe change procedure

Keep at least one tested recovery path before disabling local login. Shortening absolute lifetime affects future validity checks. After SSO/policy changes, test in a private browser before ending the existing administrator session.

Interpretation of results

Exports, history, scheduling, and integrations

Active Sessions

The table shows user, active/expired state, IP, user agent, and last seen. Toggle Show expired sessions, refresh, revoke one session, or revoke expired sessions in bulk. Revocation forces reauthentication for that session; user-level Sign out is available in Access Control.

Safety and limitations

Security Policy

Visible settings are:

  • Sign-in methods: local password sign-in and local self-registration.
  • Password policy: minimum length and complexity (upper, lower, digit).
  • Account protection: per-account maximum failures and lockout duration.
  • IP protection: enablement, maximum failures, sliding-window seconds, and IP lockout seconds.
  • Sessions: idle timeout and absolute lifetime, both in minutes.
  • SSO JIT: auto-provision and default role for a new SSO user.

The implementation does not expose local-account MFA controls in this screen. Complexity is not a substitute for SSO/MFA at the identity provider. Keep JIT’s default role at noaccess or another explicitly reviewed least-privilege role.

Troubleshooting

Use the checks below when results differ from expectations.


Back to top

Azure Support Agent is open source under the MIT License.

This site uses Just the Docs, a documentation theme for Jekyll.