1.1.16 Ensure the option to stay signed in is disabled

Information

The option for the user to Stay signed in or the Keep me signed in option will prompt a user after a successful login, when the user selects this option a persistent refresh token is created. Typically this lasts for 90 days and does not prompt for sign-in or Multi-Factor.

Rationale:

Allowing users to select this option presents risk, especially in the even that the user signs into their account on a publicly accessible computer/web browser. In this case anyone with access to the profile said users utilized would have access to their account when directing the web browser to office.com

Impact:

Once you have changed this setting users will no longer be prompted upon sign-in with the message Stay signed in?. This may mean users will be forced to sign in more frequently. Important: some features of SharePoint Online and Office 2010 have a dependency on users remaining signed in. If you hide this option, users may get additional and unexpected sign in prompts.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To verify the option to remain signed in is disabled, use the Microsoft 365 Admin Center:

Log in to https://admin.microsoft.com as a Global Administrator.

Go to Admin centers and click on Azure Active Directory, once in the AD Admin Center select Azure Active Directory.

Scroll down and select Company branding under Manage followed by the appropriate policy.

If no policy exists you will need to create one.

Scroll to the bottom of the newly opened pane and ensure Show option to remain signed in is set to No.

Click Save.

Default Value:

Users may select stay signed in

See Also

https://workbench.cisecurity.org/files/3729

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), CSCv7|16.3

Plugin: microsoft_azure

Control ID: 75d88d5f507ef3d8780a1c893f8a51a20635b99e887e65cc6e2f2e323bab094d