[Access Control] Why am I not prompted to verify when accessing Integrations?

Question

When accessing service providers (hereafter referred to as SP), such as Microsoft 365 or Google Workspace, that are integrated with Access Control, there are cases where you can sign in without being prompted with a login (authentication) screen.
Under what conditions is authentication skipped, and how does this mechanism work?
Also, please let us know how to force authentication to be required again (forcefully terminate the session).

Answer

If the authentication screen does not appear when a user accesses an SP, it is possible that the authentication session on the SP side is still valid.
If your browser or app is retaining the authentication session for the SP, no authentication request will be sent to the IdP.
As a result, as shown in the diagram below, users can access the service directly without going through Access Control authentication or login condition checks.

The duration for which the session is retained on the SP side varies by service.
For example, Microsoft and Google have published the following articles:

• Microsoft 365 session timeouts (external link)
• Set session length for Google services (external link)

Depending on the SP, the session retention period on the SP side can be configured in the "Session Status" setting for the service provider in Access Control.
* Please note that for some SPs, the session expiration set on the SP side will take precedence over the "Session Status" configured in Access Control.

How to forcefully terminate sessions for each service

For Microsoft 365

• Change the user's password
  You will need to either reset the password from the Administration, change it using PowerShell, or use Azure AD Connect to change the password from AD.
• Force sign out sessions using PowerShell
  For more information, please refer to the following article. You can perform this operation per user or for all users.
  Disconnect Azure AD Modern Authentication
• Force sign out from Microsoft 365 admin center
  For more information, please refer to the following article. This operation can be performed per user.
  Reset password and sign out of all sessions (external site)

For Google Workspace

• Change the user's password
  For more information, please refer to the following article. This operation can be performed per user or in bulk.
  Disconnect Google Workspace authentication
• Reset the user's login cookie
  This can only be reset per user. For more details, please refer to the following Google article.
  Block access to Google services from lost devices (external link)

The above operations may change in the future due to changes in SP specifications.

Reference

[Access Control] Want to know the relationship between "Session Status" and "Cookie lifespan" for Integration Settings
[Access Control] Repeated login prompts occur for Integration Settings (frequent authentication requests)