1.1.19 Ensure the option to remain signed in is hidden

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


The option for the user to Stay signed in or the Keep me signed in option will prompt a user after a successful login, when the user selects this option a persistent refresh token is created. Typically this lasts for 90 days and does not prompt for sign-in or Multi-Factor.


Allowing users to select this option presents risk, especially in the event that the user signs into their account on a publicly accessible computer/web browser. In this case it would be trivial for an unauthorized person to gain access to any associated cloud data from that account.


Once this setting is hidden users will no longer be prompted upon sign-in with the message Stay signed in?. This may mean users will be forced to sign in more frequently. Important: some features of SharePoint Online and Office 2010 have a dependency on users remaining signed in. If you hide this option, users may get additional and unexpected sign in prompts.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


To disable the option to remain signed in:

Navigate to Microsoft Entra admin center https://entra.microsoft.com/.

Click to expand Azure Active Directory > Users select User settings.

Under Show option to remain signed in select No.

Click save on top.

Default Value:

Users may select stay signed in

See Also


Item Details


References: 800-53|AC-12, CSCv7|16.3

Plugin: microsoft_azure

Control ID: 660f33132c3555366747ec8bb9d168dd76367a3d82c036dff99524252ff32890