I would like to configure the custom policy so that a user is required to log in after 1 day of inactivity (idle). If they do something then the session refreshes. They have to enter the password again at least once every 30 days. So even if they've been using the app everyday and their session keeps on rolling. Is this possible?

I've looked here and it doesn't seem like this is supported?

https://docs.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#configure-azure-ad-b2c-session-behavior

CodePudding user response：

The standard refresh token time is 24 hours so that should cover the day of inactivity.

You shouldn't need a rolling session.

Make the web app session timeout "Absolute" which indicates that the user is forced to re-authenticate after the time period specified.

In terms of the forced password reset, look here.

CodePudding user response：

Set the following:

1. 1hr access token lifetime
2. 24hr refresh token lifetime, absolute length (fixed 24hrs for SPA apps). Reduce this time below (3) to give higher chance of web session being extended.
3. 24 hr web session rolling to 30 days. Only extends when (2) expires but (3) is still valid.

It gets the closest to your requirements.