Question
I logged into cloud services such as Microsoft 365 / Google Workspace via Access Control using a browser/app.
After the authentication cookie expires or when accessing from an environment outside the access conditions, I can still use the browser/app without re-authentication. Please tell me the cause and how to address this.
Answer
If re-authentication is not requested when accessing the service after Access Control authentication, it may be due to the session maintained by the cloud service such as Microsoft 365 or Google Workspace, not the settings on the Access Control side.
The relationship during SSO setup between the integrated service and Access Control is as shown in the following diagram, where the integrated service calls Access Control as needed.
Therefore, if the session of the integrated service remains in the browser or app, Access Control will not be called as shown in the diagram below (i.e., login condition checks are not performed), and access to the service will be possible as is.
During the period when Access Control is not called, no authentication processing occurs on the Access Control side, so it is not recorded in the access logs.
For example, Microsoft has published the following article regarding how long sessions are maintained for each Microsoft 365 service.
- Microsoft 365 Session Timeout: https://learn.microsoft.com/en-us/microsoft-365/enterprise/session-timeouts
Also, Google has published the following article.
- Set session duration for Google services: https://support.google.com/a/answer/7576830
If you want to forcibly disconnect sessions for each service, the following methods are available.
[Microsoft 365 Method 1] Change the user password on the Microsoft 365 side. You need to perform one of the following: reset the password from the admin console, change it using PowerShell, or change it from AD using Azure AD Connect.
[Microsoft 365 Method 2] Use PowerShell to forcibly disconnect sessions. For details, please refer to our article below. Operations can be done per user or for all users.
Disconnecting Azure AD Modern Authentication
[Google Workspace Method 1] Change the user password on the Google Workspace side. For details, please refer to our article below. Operations can be done per user or in bulk.
Disconnecting Google Workspace Authentication
[Google Workspace Method 2] Reset the user's login cookies. This operation is only possible per user. For details, please refer to the following Google article.
Block access to Google services from lost devices: https://support.google.com/a/answer/178854
These behaviors may change in the future due to specification changes on the cloud service side.