Browser cookies associated with authentication policy controls

When you enable authentication policy controls, Privileged Access Service leaves the following identity cookies in your users’ browsers:

  • After multifactor authentication: The Privileged Access Service leaves a cookie in the current browser after the user has successfully logged in to Admin Portal by using a multifactor authentication method.

    When the directory service finds this cookie, it does not prompt the user to provide an additional authentication method for subsequent logins. If you want to require authentication for subsequent logins, then ensure that you do NOT have an authentication rule using the Identity Cookie filter and specify the Default Profile for one that has the necessary authentication methods. See Creating authentication rules for instructions on creating authentication controls.

  • After IWA Authentication: The Privileged Access Service leaves a cookie in the current browser when the user has successfully logged in to the Admin Portal using Integrated Windows Authentication.

    When the Privileged Access Service finds this cookie, it ignores the multifactor authentication requirements and lets a user open a web application from the Admin Portal that is set with the “Restrict app to clients within the Corporate IP range” policy regardless of their IP address (see Removing an application).

Users are required to provide multifactor authentication if the cookies are deleted or they use a different browser to log in.