更新04-09-2020: 以下信息已弃用.请注意Microsoft的通知:

UPDATE 04-09-2020: The information below is deprecated. Please take note of the notice by Microsoft:

在预览期间听取客户的意见后，我们实施了

After hearing from customers during the preview, we've implemented authentication session management capabilities in Azure AD Conditional Access. You can use this new feature to configure refresh token lifetimes by setting sign in frequency. After May 30, 2020 no new tenant will be able to use Configurable Token Lifetime policy to configure session and refresh tokens. The deprecation will happen within several months after that, which means that we will stop honoring existing session and refresh tokens polices. You can still configure access token lifetimes after the deprecation.

我相信可以利用用户登录频率"现在，由于浏览器会话的持久性"现在已正确完成.遗憾的是，我无法对此进行测试，因此如果有人可以确认，请在此问题的新答案中描述您如何成功解决此问题，我将更改答案并将此消息定向到您的答案.

I believe that it may be possible to utilize the "User Signin Frequency" setting now thanks to the fact the "Persistance for Browser Sessions" is now properly done. Sadly I cannot test this so if anyone can confirm please describe in a new answer to this question how you've successfully managed this issue and I'll change the answer and direct this message to your answer.

旧信息:

因此，在与Microsoft支持团队合作几周之后，我们终于有了一个明确的答案和明确的解决方案:

So after a few weeks of cooperation with the Microsoft Support team we finally have a closing answer and definite solution:

您正在使用登录策略.由于遗留原因，当您为登录策略"调用/authorize终结点时，首先单击Azure AD B2C服务，然后立即将其重新路由到Azure AD服务.然后，Azure AD服务(而不是Azure AD B2C)实际显示用户名/密码的字段.输入有效的用户名/密码后，Azure AD出于SSO原因将cookie存储在客户端计算机上，将客户端重定向回Azure AD B2C，Azure AD B2C然后铸造一个令牌并将B2C令牌返回给应用程序，并存储自己的令牌出于SSO原因的Cookie.换句话说，Azure AD B2C联合到Azure AD进行登录，Azure AD和Azure AD B2C都有自己的cookie来维护SSO.

You are using a sign in policy. For legacy reasons, when you make a call to the /authorize endpoint for a "Sign in policy", you first hit the Azure AD B2C service, and then immediately get rerouted to the Azure AD service. The field for username/password is then actually displayed by the Azure AD service (and not by Azure AD B2C). Once you enter a valid username/password, Azure AD stores a cookie on the client machine for SSO reasons, redirects the client back to Azure AD B2C, which then mints a token and returns a B2C token to the application, along with storing its own cookies for SSO reasons. In other words, Azure AD B2C federates to Azure AD for the sign in, and both Azure AD and Azure AD B2C have cookies of their own to maintain SSO.

现在，当您调用注销到Azure AD B2C或Azure AD B2C的会话期满时，Azure AD B2C会执行其操作来关闭会话，即删除cookie.但是，它不会删除Azure AD cookie.这意味着当您再次登录时，Azure AD B2C会识别出您尚未登录，并调用Azure AD.由于Azure AD植入了cookie或Azure AD的会话没有过期，因此该用户是SSO，并且该用户不需要再次输入用户名/密码(这是您不希望的确切行为).

Now when you call logout to Azure AD B2C or when Azure AD B2C’s session expires, Azure AD B2C does its thing to close the session, which is to delete the cookies. However, it does not delete the Azure AD cookies. Which means that when you sign in again, Azure AD B2C recognizes that you’re not signed in, and calls Azure AD. Because Azure AD has cookies planted or Azure AD’s session is not expired, it SSO’s the user and the user does not need to enter the username/password again (which is the exact behavior you do not want).

要暂时解决此问题，请在调用Azure AD B2C的注销终结点后再调用Azure AD的注销终结点. Azure AD的注销终结点与Azure AD B2C的注销终结点相同，但URL中没有策略.对于会话到期，您还需要限制Azure AD的会话超时.

我们正在研究不依赖Azure AD的登录策略(当前处于私有预览状态).我们还正在研究纠正原始登录策略的行为.

We are working on a sign-in policy (currently in private preview) that do not take a dependency on Azure AD. We are also looking into fixing the behavior for the original Sign in policies.

我的问题的解决方案的确是使用指示令牌生存期的策略来限制Azure AD本身的会话超时.这是我设置的策略，通常在租户的所有会话上都将其过期至15分钟(这是我们的愿望，如果您仅想针对特定应用程序设置此策略，请阅读本文)

The solution to my question was indeed to limit the session timeout of Azure AD itself using policies that dictate token lifetimes. Here's the policy I set to expire in general all session on the tenant to 15 minutes (which was our desire, read the article if you want to set this policy only for specific applications etc)

Connect-AzureAD
New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1, "MaxAgeSessionSingleFactor":"0.00:15:00","MaxAgeSessionMultiFactor":"0.00:15:00"}}') -DisplayName "TokenLifetimeDefaultPolicy" -IsOrganizationDefault $true -Type "TokenLifetimePolicy"
Disconnect-AzureAD

感谢Microsoft支持.

Thanks to Microsoft Support.