CA-11HighRecommended Secure

Enforce Session Lifetime Limits

Conditional Access control for Microsoft 365 and Entra ID

Why This Control Matters

Default refresh tokens last 90 days. If a token is stolen, attackers have that entire window to access your tenant. Session lifetime limits force re-authentication, limiting the damage from token theft.

Expected State

When this control is compliant, your tenant should meet these criteria:

1Sign-in frequency is enforced via Conditional Access
2User sessions expire within 24 hours maximum
3Admin sessions expire within 8 hours
4Persistent browser sessions are disabled for sensitive apps

Enforcement

Default Mode

Advisory

Alerts on deviations but does not make changes

Auto-Remediation

Available

Creates Conditional Access policies with sign-in frequency controls

Ready to implement this control?

TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.