Applies to Product - Power Pages
What’s happening?
Users are experiencing issues where the session persists even after clicking "Log Out" when using Entra External ID Authentication. Additionally, the session expiry timeout is functioning for portal/site sign-out but not for sign-out with the identity provider (Entra External ID), allowing users to access the site without re-authentication.
Reason:
The underlying cause appears to be related to the configuration of session settings. Specifically, the ExternalLogoutEnabled setting may not be functioning correctly when the sign-out is triggered by session expiry/timeout. The session cookie expiration does not trigger an external logout process, which is designed to only expire the session cookie without prompting for re-authentication.
Resolution:
- Ensure that the authority URL is correct and that the metadata URL configured is accessible and providing a success response.
- Verify that the site settings are configured correctly:
- ExpireTimeSpan should be set to the desired timeout duration (e.g., 30 minutes).
- ExternalLogoutEnabled should be set to true.
- If this persists, consider implementing a custom script to handle session timeout and trigger the logout process for the identity provider.
- Review the documentation on session behavior for Azure AD B2C and Entra External ID to ensure proper configuration and expected behavior.
