Edit

Share via

Configure adaptive session lifetime policies

Warning

If you're using the configurable token lifetime feature currently in public preview, we don't support creating two different policies for the same user or app combination: one with this feature and another with the configurable token lifetime feature. Microsoft retired the configurable token lifetime feature for refresh and session token lifetimes on January 30, 2021, and replaced it with the Conditional Access authentication session management feature.

Before enabling Sign-in Frequency, make sure other reauthentication settings are disabled in your tenant. If "Remember MFA on trusted devices" is enabled, disable it before using Sign-in Frequency, as using these two settings together might prompt users unexpectedly. To learn more about reauthentication prompts and session lifetime, see the article, Optimize reauthentication prompts and understand session lifetime for Microsoft Entra multifactor authentication.

Policy deployment

To ensure your policy works as expected, test it before rolling it out into production. Use a test tenant to verify that your new policy works as intended. For more information, see the article Plan a Conditional Access deployment.

Policy 1: Sign-in frequency control

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.

  2. Browse to Entra ID > Conditional Access > Policies.

  3. Select New policy.

  4. Give your policy a name. Create a meaningful standard for naming policies.

  5. Choose all required conditions for customer’s environment, including the target cloud apps.

    Note

    It's recommended to set equal authentication prompt frequency for key Microsoft 365 apps such as Exchange Online and SharePoint Online for best user experience.

  6. Under Access controls > Session.

    1. Select Sign-in frequency.
      1. Choose Periodic reauthentication and enter a value of hours or days or select Every time.

    Screenshot showing a Conditional Access policy configured for sign-in frequency.

  7. Save your policy.

Policy 2: Persistent browser session

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.

  2. Browse to Entra ID > Conditional Access > Policies.

  3. Select New policy.

  4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.

  5. Choose all required conditions.

    Note

    This control requires selecting "All Cloud Apps" as a condition. Browser session persistence is controlled by authentication session token. All tabs in a browser session share a single session token and therefore they all must share persistence state.

  6. Under Access controls > Session.

    1. Select Persistent browser session.

      Note

      Persistent browser session configuration in Microsoft Entra Conditional Access overrides the "Stay signed in?" setting in the company branding pane for the same user if both policies are configured.

    2. Select a value from dropdown.

  7. Save your policy.

Policy 3: Sign-in frequency control every time risky user

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
  2. Browse to Entra ID > Conditional Access.
  3. Select New policy.
  4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
  5. Under Assignments, select Users or workload identities.
    1. Under Include, select All users.
    2. Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
    3. Select Done.
  6. Under Target resources > Include, select All resources (formerly 'All cloud apps').
  7. Under Conditions > User risk, set Configure to Yes.
    1. Under Configure user risk levels needed for policy to be enforced, select High. This guidance is based on Microsoft recommendations and might be different for each organization
    2. Select Done.
  8. Under Access controls > Grant, select Grant access.
    1. Select Require authentication strength, then select the built-in Multifactor authentication authentication strength from the list.
    2. Select Require password change.
    3. Select Select.
  9. Under Session.
    1. Select Sign-in frequency.
    2. Ensure Every time is selected.
    3. Select Select.
  10. Confirm your settings and set Enable policy to Report-only.
  11. Select Create to create to enable your policy.

After confirming your settings using report-only mode, move the Enable policy toggle from Report-only to On.

Validation

Use the What If tool to simulate a sign-in to the target application and other conditions based on your policy configuration. The authentication session management controls show up in the result of the tool.

Prompt tolerance

We account for five minutes of clock skew when every time is selected in policy, so we don’t prompt users more often than once every five minutes. If the user completes MFA in the last 5 minutes and encounters another Conditional Access policy that requires reauthentication, we don't prompt the user. Prompting users too often for reauthentication can affect their productivity and increase the risk of users approving MFA requests they didn’t initiate. Use "Sign-in frequency – every time" only when there are specific business needs.

Known issues

  • If you configure sign-in frequency for mobile devices: Authentication after each sign-in frequency interval might be slow and can take 30 seconds on average. This issue might also occur across various apps simultaneously.
  • On iOS devices: If an app configures certificates as the first authentication factor and has both sign-in frequency and Intune mobile application management policies applied, users are blocked from signing in to the app when the policy triggers.
  • Microsoft Entra Private Access doesn't support setting sign-in frequency to every time.

Next steps