Azure AD Registered satisfies Sign-In Frequency Policy accuracy

[robert-bunch]

User sign-in frequency and device identities If you have Azure AD joined, hybrid Azure AD joined, or Azure AD registered devices, when a user unlocks their device or signs in interactively, this event will satisfy the sign-in frequency policy as well.

Can we confirm the accuracy to this? Does locking/unlocking your Azure AD Registered device satisfy the sign in frequency since it does not use the Cloud AP plugin like Azure AD Joined and Hybrid Joined do.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 9561a367-20d8-62e9-57e5-694bab4c0878
• Version Independent ID: a7c757e0-052b-fc42-70c5-030081baa573
• Content: Configure authentication session management - Azure Active Directory - Microsoft Entra
• Content Source: articles/active-directory/conditional-access/howto-conditional-access-session-lifetime.md
• Service: active-directory
• Sub-service: conditional-access
• GitHub Login: @MicrosoftGuyJFlo
• Microsoft Alias: joflore

[JamesTran-MSFT]

@robert-bunch Thanks for your feedback! We will investigate and update as appropriate.

[alfredorevilla]

Hello @robert-bunch, confirmed. Azure AD tokens will be retrieved and used thus CA policies will be applied accordingly.

[robert-bunch]

Hello @robert-bunch, confirmed. Azure AD tokens will be retrieved and used thus CA policies will be applied accordingly.

That sounds right for a Hybrid Azure AD joined or Azure AD joined device, since your cloud credentials are used during login/lock/unlock. AAD Registered you are logged in with a local account or MSA account, not cloud account.

We have a 7 day sign in frequency enforced and a lot of AAD Registered devices. The examples in this article doesn't seem to be accurate behavior for an AAD Registered device. The Sign-In frequency window does not shift if you lock/unlock the AAD registered workstation within the window as noted in example 2.