Detections
Analytics

5.2.2.4 (L1) Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

In complex deployments, organizations might have a need to restrict authentication sessions. Conditional Access policies allow for the targeting of specific user accounts. Some scenarios might include:

 - Resource access from an unmanaged or shared device
 - Access to sensitive information from an external network
 - High-privileged users
 - Business-critical applications

Note: This CA policy can be added to the previous CA policy in this benchmark "Ensure multifactor authentication is enabled for all users in administrative roles"

Forcing a time out for MFA will help ensure that sessions are not kept alive for an indefinite period of time, ensuring that browser sessions are not persistent will help in prevention of drive-by attacks in web browsers, this also prevents creation and saving of session cookies leaving nothing for an attacker to take.

Solution

To remediate using the UI:

 - Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
 - Click expand ID Protection > Risk-based Conditional Access.
 - Click New policy.
 - Under Users include Select users and groups and check Directory roles.
 - At a minimum, include the directory roles listed below in this section of the document.
 - Under Target resources include All resources (formerly 'All cloud apps').
 - Under Grant select Grant Access and check Require multifactor authentication.
 - Under Session select Sign-in frequency select Periodic reauthentication and set it to 4 hours (or less).
 - Check Persistent browser session then select Never persistent in the drop-down menu.

 - Under Enable policy set it to Report-only until the organization is ready to enable it.

At minimum these directory roles should be included in the policy:

 - Application administrator
 - Authentication administrator
 - Billing administrator
 - Cloud application administrator
 - Conditional Access administrator
 - Exchange administrator
 - Global administrator
 - Global reader
 - Helpdesk administrator
 - Password administrator
 - Privileged authentication administrator
 - Privileged role administrator
 - Security administrator
 - SharePoint administrator
 - User administrator

Note: Break-glass accounts should be excluded from all Conditional Access policies.

Impact:

Users with Administrative roles will be prompted at the frequency set for MFA.

See Also

https://workbench.cisecurity.org/benchmarks/22162

Item Details

References: CSCv7|16.3

Plugin: microsoft_azure

Control ID: 07f58874e22f4c03dbeb7107337c0105cc7c563e69f9c36fdc9fa73f073101d3