Azure P2S VPN (Entra ID Auth) Session/Idle Timeout Policy and Configuration

Question

Azure P2S VPN (Entra ID Auth) Session/Idle Timeout Policy and Configuration

Witsanu Ratreeswad 0

Dear Microsoft Support Team,

I am seeking official clarification regarding the Session Timeout and Idle Timeout policies for our Point-to-Site (P2S) VPN connections terminating on Azure Virtual WAN (vWAN).

VPN Type: P2S via Azure Virtual WAN
Authentication Method: Microsoft Entra ID

We need confirmation on the following:

Is there an Azure-enforced Session Lifetime or Idle Disconnect Timeout for P2S connections?
If such a timeout exists, what are the default values, and what is the official documentation for extending this duration to ensure continuous operation for our users (e.g., aiming for 24-hour sessions)?

Please direct us to the relevant documentation or assist us in verifying the configuration on our VPN Gateway/vWAN setup.

Venkatesan S 1,090 Reputation points Microsoft External Staff Moderator

2025-12-12T05:09:11.6933333+00:00
Hi Witsanu Ratreeswad,

Thanks for reaching out in Microsoft Q&A forum,

Azure Virtual WAN Point-to-Site (P2S) VPN connections using Microsoft Entra ID authentication do not have a server-side enforced session lifetime or idle disconnect timeout configured on the Azure gateway or vWAN hub. Instead, session persistence is governed by Microsoft Entra ID token lifetimes:

Access tokens are renewed approximately every hour as long as the refresh token is valid.

By default, refresh tokens are valid for a rolling 90-day window, allowing long-lived sessions if no Conditional Access policies force reauthentication.

There is no Azure-side idle timeout setting for P2S VPN (including vWAN P2S) that can be extended to, for example, 24 hours. Observed disconnections are typically due to:

Client-side behavior (e.g., sleep, network changes, client app timeouts).

Microsoft Entra ID Conditional Access policies (e.g., sign-in frequency, session controls).

Network issues (NAT timeouts, firewalls, unstable connectivity).

How to Achieve Long Sessions (e.g., 24 hours)

To support long, continuous sessions:

Configure Conditional Access session controls:

Set Sign-in frequency to a value greater than 2 hours (e.g., 24 hours) in your Conditional Access policy.

Enable Persistent browser sessions if appropriate for your scenario.

Avoid policies that require reauthentication “every time” or very frequently.

Use persistent Entra ID sessions:

Ensure users are signed in with a persistent session (e.g., “Keep me signed in” where allowed).

Monitor sign-in logs to verify token refresh behavior and session continuity.

Client and network best practices:

Ensure the client device does not sleep or lose network connectivity.

Use a stable internet connection and avoid aggressive NAT/firewall idle timeouts.

Official Documentation

Point-to-site VPN session management - Azure VPN Gateway | Microsoft Learn

Troubleshoot Azure point-to-site connection problems - Azure VPN Gateway | Microsoft Learn

Configure a P2S User VPN - Microsoft Entra ID authentication - manually registered Azure VPN Client App ID - Azure Virtual WAN | Microsoft Learn

Adaptive Session Lifetime Policies for Conditional Access - Microsoft Entra ID | Microsoft Learn

Kindly let us know if the above helps or you need further assistance on this issue.

Please "up vote" if the information helped you. This will help us and others in the community as well

1 answer

Your answer

Answer 1

For Azure Point-to-Site (P2S) VPN connections using Microsoft Entra ID authentication, there are specific considerations regarding session and idle timeout policies:

Session Lifetime and Idle Disconnect Timeout: The default lifetime for refresh tokens used in Microsoft Entra ID authentication is 90 days. However, the refresh tokens can expire sooner based on conditional access policies set by your Entra tenant administrators. These policies can enforce reauthentication every few hours, which effectively impacts session continuity.
Extending Timeout Duration: To ensure continuous operation for your users, you can work with your Entra tenant administrators to adjust the sign-in frequency by adding conditional access policies. This can help extend the refresh token expiration interval, allowing for longer sessions. For detailed guidance on configuring these settings, you can refer to the Microsoft documentation on Refresh tokens in the Microsoft identity platform and Configure adaptive session lifetime policies.

For specific configurations on your VPN Gateway or vWAN setup, you may need to verify the settings directly in the Azure portal or through Azure PowerShell commands.

References:

Share via

Azure P2S VPN (Entra ID Auth) Session/Idle Timeout Policy and Configuration

1 answer

Your answer