2

We have implemented a few connections to cloud providers using CloudRail.

For most of them (Google Drive, Box, Dropbox and OneDrive) we are asked for out username and password and then to allow access each time we connect without using stored tokens. However if we use OneDriveBusiness we are only asked once and then each subsequent time, it authenticates automatically.

I will need to clear the history on my browser to get it to show the authentication screen.

Is this the expected behavior of OneDrive For Business/Azure?

I understand that Azure will store that you have allowed a user access but is there a way to log in as a different user without clearing the browser?

Thanks in advance.

Gary O
  • 27
  • 5

2 Answers2

0

Yes, this is how Azure AD works. Depending on the client type, they can get a refresh token that allows them to get a new access token whenever they wish. Refresh tokens can expire though, for example if you reset your password they will stop working. And not all clients can get refresh tokens, for example JavaScript apps running in your browser cannot get refresh tokens.

Logging in as different users can be a bit difficult. By default, Azure AD will check if you have an active session with a user. If you have a session with a single user, it will just automatically log you in. This is single sign-on. However, if you have multiple active sessions or the client app says to AAD "force selection" then a selector will come up. We do this in one of our products where we offer two login buttons, one doing single sign-on, and the other forcing account selection. What I do to get around the issue of multiple accounts is use Firefox's Multi-Account Containers. Or you can use a regular window + Incognito/Private window.

juunas
  • 54,244
  • 13
  • 113
  • 149
0

I will need to clear the history on my browser to get it to show the authentication screen. Is this the expected behavior of OneDrive For Business/Azure?

Yes that is the expected behavior if the user marks "remember browser" or "keep me logged in", when cloudrail tries to use the WebView or SafariView it may be already with the previous user in those scenarios. As @Gary mentioned in the question it is necessary to manually clear the WebView or the browser cache in those cases

I understand that Azure will store that you have allowed a user access but is there a way to log in as a different user without clearing the browser?

Right now, as mentioned in the text above, the way to log in as another account without clearing the browser (or at least Microsoft domains) cache, is NOT ENABLING options like "remember browser" or "keep me logged in" during the authentication process

CloudRail Staff.

Felipe Cesar Assis
  • 398
  • 6
  • 21