Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users


In complex deployments, organizations might have a need to restrict authentication sessions. Conditional Access policies allow for the targeting of specific user accounts. Some scenarios might include:

Resource access from an unmanaged or shared device

Access to sensitive information from an external network

High-privileged users

Business-critical applications

Ensure Sign-in frequency does not exceed 4 hours for E3 tenants, or 24 hours for E5 tenants using Privileged Identity Management.

Ensure Persistent browser session is set to Never persist

NOTE: This CA policy can be added to the previous CA policy in this benchmark 'Ensure multifactor authentication is enabled for all users in administrative roles'


Forcing a time out for MFA will help ensure that sessions are not kept alive for an indefinite period of time, ensuring that browser sessions are not persistent will help in prevention of drive-by attacks in web browsers, this also prevents creation and saving of session cookies leaving nothing for an attacker to take.


Users with Administrative roles will be prompted at the frequency set for MFA.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


To configure Sign-in frequency and browser sessions persistence for Administrative users:

Navigate to Microsoft Entra admin center https://entra.microsoft.com/.

Click to expand Protection > Conditional Access Select Policies.

Click New policy

Click Users and groups

Under Include select Select users and groups and then select Directory roles.

At a minimum, select the roles in the section below.

Go to Cloud apps or actions > Cloud apps > Include > select All cloud apps (and don't exclude any apps).

Under Access controls > Grant > select Grant access > check Require multi-factor authentication (and nothing else).

Under Session select Sign-in frequency and set to at most 4 hours for E3 tenants. E5 tenants with PIM can be set to a maximum value of 24 hours.

Check Persistent browser session then select Never persistent in the drop-down menu.

For Enable Policy select On and click Save

At minimum these directory roles should be included for MFA:

Application administrator

Authentication administrator

Billing administrator

Cloud application administrator

Conditional Access administrator

Exchange administrator

Global administrator

Global reader

Helpdesk administrator

Password administrator

Privileged authentication administrator

Privileged role administrator

Security administrator

SharePoint administrator

User administrator

Default Value:

The Azure Active Directory (Azure AD) default configuration for user sign-in frequency is a rolling window of 90 days.

See Also