CA-11: Enforce Session Lifetime Limits for Guests and Admins

Overview

This guide walks you through configuring session lifetime limits using Conditional Access sign-in frequency controls, with a focus on the two elevated-risk populations this control targets: guests and administrators. Session lifetime limits force these users to re-authenticate after a specified period, reducing the window of exposure from stolen tokens or compromised sessions.

Control ID: CA-11 Category: Conditional Access Severity: High License Required: Microsoft Entra ID P1 (included in Microsoft 365 Business Premium, E3, E5)

Expected State

  • Sign-in frequency is enforced via Conditional Access for high-risk scenarios
  • Guest user sessions expire within 24 hours
  • Admin sessions expire within 8 hours
  • Persistent browser sessions are disabled for guest access

Why guests and admins: Guests and admins represent elevated risk. Guest accounts access your data from unmanaged devices; limiting session lifetime reduces exposure if credentials are compromised. Admin sessions should be short-lived. Regular users on managed devices can have longer sessions to avoid productivity impact.

Why This Matters

By default, Microsoft Entra ID refresh tokens are valid for up to 90 days. This means:

  • Token theft exposure - Stolen tokens can provide access for up to 90 days
  • Terminated employees - Access may persist long after account should be disabled
  • Compliance gaps - Many regulations require more frequent authentication
  • Stale sessions - Long-lived sessions may not reflect current user context

Session lifetime limits reduce these risks by forcing periodic re-authentication.


Prerequisites

Required Roles

You need one of the following Entra ID roles:

  • Conditional Access Administrator (recommended)
  • Security Administrator
  • Global Administrator

Required Licenses

  • Microsoft Entra ID P1 or higher
  • Included in: Microsoft 365 Business Premium, E3, E5, or standalone Entra ID P1/P2

Pre-Configuration Requirements

Before configuring session limits:

  1. MFA registered users - Users will be prompted more frequently
  2. Emergency access accounts - Must be excluded
  3. User communication - Notify users about increased authentication prompts

Time Estimate

TaskDuration
Policy planning30 minutes
Policy creation15-20 minutes
Testing1-2 hours
User communication30 minutes
Total2-4 hours

Recommended Session Lifetimes

Choose session lifetimes based on user roles and risk:

By User Type

User TypeSign-In FrequencyPersistent Browser
Guest Users24 hours (maximum for this control)Never persistent (required)
General Users7-14 daysNever persistent
Users on Unmanaged Devices1-8 hoursNever persistent
Administrators8 hours (maximum for this control)Never persistent
Global Administrators1-4 hoursNever persistent
High-Security UsersEvery timeNever persistent

By Application

Application TypeSign-In Frequency
General productivity (M365)14 days
Sensitive applications8 hours
Admin portals4 hours
Financial/HR systems1 hour

Step-by-Step Instructions

Part 1: General User Session Limits

Create a baseline policy for all users.

Step 1: Navigate to Conditional Access

  1. Sign in to the Microsoft Entra admin center
  2. Navigate to Protection > Conditional Access > Policies
  3. Click + New policy

Step 2: Create Baseline Policy

  1. Name: Session Lifetime - General Users

Users:

  • Include: All users
  • Exclude: Emergency access accounts, Admin role groups (separate policy)

Cloud Apps:

  • Include: All cloud apps

Conditions:

  • Leave unconfigured (applies everywhere)

Grant:

  • Grant access (no additional requirements for this policy)

Session:

  1. Check Sign-in frequency
  2. Set: 14 days (or your chosen baseline)
  3. Check Persistent browser session
  4. Select: Never persistent

Enable:

  • Select On
  • Click Create

Part 2: Administrator Session Limits

Create stricter limits for administrators.

Step 1: Create Admin Policy

  1. Click + New policy
  2. Name: Session Lifetime - Administrators

Users:

  • Include: Select users and groups > Directory roles
  • Select all admin roles:
    • Global Administrator
    • Security Administrator
    • Privileged Role Administrator
    • Conditional Access Administrator
    • Exchange Administrator
    • SharePoint Administrator
    • (Add all relevant admin roles)
  • Exclude: Emergency access accounts

Cloud Apps:

  • Include: All cloud apps

Conditions:

  • Leave unconfigured

Grant:

  • Grant access
  • Require multifactor authentication (recommended for admins)

Session:

  1. Check Sign-in frequency
  2. Set: 8 hours (this control's maximum for admins; use 4 hours or less for Global Administrators)
  3. Check Persistent browser session
  4. Select: Never persistent

Enable:

  • Select On
  • Click Create

Part 3: Guest User Session Limits

Guests access your data from devices you do not manage, so their sessions must be short and non-persistent. This part is required for CA-11.

Step 1: Create Guest Session Policy

  1. Click + New policy
  2. Name: Session Lifetime - Guest Users

Users:

  • Include: Guest or external users > select All guest and external users (B2B collaboration and B2B direct connect guests)
  • Exclude: Emergency access accounts

Cloud Apps:

  • Include: All cloud apps

Conditions:

  • Leave unconfigured (applies to all guest sign-ins)

Grant:

  • Grant access
  • Require multifactor authentication (recommended for guests - see EXT-02)

Session:

  1. Check Sign-in frequency
  2. Set: 24 hours (this control's maximum for guests)
  3. Check Persistent browser session
  4. Select: Never persistent (required for guests - do not allow "Always persistent")

Enable:

  • Select On
  • Click Create

Guests will now re-authenticate at least once every 24 hours and cannot keep a persistent browser session.


Part 4: Unmanaged Device Session Limits

Create stricter limits for personal/unmanaged devices.

Step 1: Create Unmanaged Device Policy

  1. Click + New policy
  2. Name: Session Lifetime - Unmanaged Devices

Users:

  • Include: All users
  • Exclude: Emergency access accounts

Cloud Apps:

  • Include: All cloud apps

Conditions:

  1. Click Filter for devices

  2. Set Configure to Yes

  3. Select Include filtered devices in policy

  4. Add rule: device.isCompliant -ne True

    Or simpler approach:

  5. Click Device state (legacy)

  6. Configure: Yes

  7. Include: All device states

  8. Exclude: Device Hybrid Azure AD joined, Device marked as compliant

Grant:

  • Grant access (or require MFA for additional security)

Session:

  1. Check Sign-in frequency
  2. Set: 1 hour (or 8 hours for less restrictive)
  3. Check Persistent browser session
  4. Select: Never persistent

Enable:

  • Select On
  • Click Create

Part 5: Sensitive Application Limits

Create specific limits for sensitive applications.

Step 1: Create Sensitive App Policy

  1. Click + New policy
  2. Name: Session Lifetime - Sensitive Applications

Users:

  • Include: All users
  • Exclude: Emergency access accounts

Cloud Apps:

  • Include: Select apps
  • Add sensitive applications:
    • Azure Portal (for Azure access)
    • Financial applications
    • HR applications
    • Custom LOB applications with sensitive data

Conditions:

  • Leave unconfigured

Grant:

  • Grant access
  • Require multifactor authentication

Session:

  1. Check Sign-in frequency
  2. Set: Every time (for highest security) Or set: 1 hour (for balance)
  3. Check Persistent browser session
  4. Select: Never persistent

Enable:

  • Select On
  • Click Create

Understanding Sign-In Frequency Behavior

How Sign-In Frequency Works

  1. User authenticates and receives tokens
  2. Tokens are valid for normal duration
  3. When sign-in frequency interval expires, user must re-authenticate
  4. Re-authentication may be silent (PRT) or interactive (MFA prompt)

Silent vs. Interactive Re-Authentication

Silent (SSO) Re-authentication:

  • User has valid Primary Refresh Token (PRT)
  • Device is Entra ID joined/registered
  • User may not notice re-authentication

Interactive Re-authentication:

  • User must enter credentials
  • MFA prompt may appear
  • Occurs when PRT is invalid or policy requires it

"Every Time" Option

Setting sign-in frequency to "Every time":

  • Forces authentication on every access
  • Most secure but most friction
  • Use for highly sensitive applications only
  • Does not mean MFA every time (unless MFA is also required)

Verification Checklist

After configuring session lifetime policies:

Policy Verification

  • Guest user policy created (sign-in frequency 24 hours, never persistent)
  • Administrator policy created (sign-in frequency 8 hours or less)
  • General user policy created with appropriate frequency
  • Unmanaged device policy created (if needed)
  • Sensitive application policies created (if needed)
  • Persistent browser sessions are disabled for guests
  • Emergency access accounts excluded from all policies

Functional Testing

  1. Test General User:

    • Sign in as test user
    • Wait for configured interval (or use short interval for testing)
    • Verify re-authentication prompt appears
  2. Test Administrator:

    • Sign in with admin account
    • Verify stricter session limits apply
    • Confirm MFA is prompted if configured
  3. Test Unmanaged Device:

    • Sign in from non-compliant device
    • Verify shorter session limit applies
    • Confirm browser session is not persistent

Sign-In Log Verification

  1. Navigate to Entra admin center > Monitoring > Sign-in logs
  2. Review recent sign-ins
  3. Check Conditional Access tab for policy application
  4. Verify sign-in frequency policy is applied

Troubleshooting

Users Not Being Re-Prompted

Symptom: Users are not prompted to re-authenticate at expected intervals.

Solutions:

  1. Verify policy is enabled (not Report-only)
  2. Check if user is excluded from policy
  3. Sign-in frequency requires the user to close and reopen the app/browser
  4. Silent SSO may complete without visible prompt
  5. Clear browser cookies to force interactive auth

Users Prompted Too Frequently

Symptom: Users are prompted more often than configured.

Solutions:

  1. Check for multiple overlapping policies
  2. Verify the correct frequency is set
  3. Check if other policies require MFA (may cause additional prompts)
  4. Review if app is configured for single sign-on

Persistent Browser Session Not Working

Symptom: Users remain signed in despite "Never persistent" setting.

Solutions:

  1. Clear browser cookies and cache
  2. Check for browser extensions saving sessions
  3. Verify policy is enabled and applies to the user
  4. Test in incognito/private mode

Different Behavior on Different Devices

Symptom: Session limits differ between devices.

Solutions:

  1. Check if device-specific policies exist
  2. Verify device compliance status
  3. Managed devices may have silent SSO extending apparent session
  4. Review all applicable Conditional Access policies

Emergency Access Blocked

Symptom: Emergency access accounts are affected by session limits.

Solutions:

  1. Verify emergency accounts are in the exclusion list
  2. Check for typos in excluded account UPNs
  3. Ensure exclusion group membership is correct
  4. Test emergency account access

Policy Configuration Summary

General Users Policy

SettingValue
Policy NameSession Lifetime - General Users
Users - IncludeAll users
Users - ExcludeEmergency access accounts, Admin groups
Cloud AppsAll cloud apps
Session - Sign-in frequency14 days
Session - Persistent browserNever persistent
Enable PolicyOn

Guest Users Policy

SettingValue
Policy NameSession Lifetime - Guest Users
Users - IncludeAll guest and external users
Users - ExcludeEmergency access accounts
Cloud AppsAll cloud apps
GrantRequire MFA (recommended)
Session - Sign-in frequency24 hours
Session - Persistent browserNever persistent
Enable PolicyOn

Administrator Policy

SettingValue
Policy NameSession Lifetime - Administrators
Users - IncludeDirectory roles (all admin roles)
Users - ExcludeEmergency access accounts
Cloud AppsAll cloud apps
GrantRequire MFA
Session - Sign-in frequency8 hours (4 hours or less for Global Administrators)
Session - Persistent browserNever persistent
Enable PolicyOn

Unmanaged Device Policy

SettingValue
Policy NameSession Lifetime - Unmanaged Devices
Users - IncludeAll users
Users - ExcludeEmergency access accounts
Cloud AppsAll cloud apps
ConditionsNon-compliant devices
Session - Sign-in frequency1 hour
Session - Persistent browserNever persistent
Enable PolicyOn

Balancing Security and User Experience

Considerations

  • Shorter sessions = More security, More friction
  • Longer sessions = Less security, Better experience

Finding the Right Balance

  1. Assess risk: What's the impact of a compromised session?
  2. Consider users: How will increased prompts affect productivity?
  3. Layer controls: Use other controls (MFA, device compliance) to reduce need for short sessions
  4. Monitor feedback: Adjust based on user complaints and security incidents

Recommended Approach

  1. Start with moderate limits (14 days for general, 8 hours for admins)
  2. Monitor for 30 days
  3. Review sign-in logs and user feedback
  4. Adjust as needed
  5. Tighten limits where risk warrants

Integration with Other Controls

Continuous Access Evaluation (CAE)

CAE complements session limits by:

  • Revoking tokens immediately on critical events
  • Enforcing location changes
  • Reducing effective token lifetime

With CAE, you may not need extremely short session limits.

Token Protection

Token protection binds tokens to devices, making stolen tokens unusable. This reduces (but doesn't eliminate) the need for short session limits.

MFA

Combining session limits with MFA ensures:

  • Users must re-authenticate periodically
  • Re-authentication requires MFA
  • Stolen passwords alone are insufficient

Compliance Considerations

Some regulations require session timeouts:

StandardSession Requirement
HIPAAAutomatic logoff (no specific time)
PCI-DSS15-minute inactivity timeout for cardholder data
NIST 800-53Session termination based on risk
ISO 27001Defined session timeout policy

Configure session limits to meet your compliance requirements.


Related Controls

  • CA-07: Session Controls (comprehensive session management)
  • CA-10: Token Protection (device binding)
  • PA-07: Continuous Access Evaluation (real-time revocation)
  • CA-02: Admin MFA (combined with session limits for admins)

Additional Resources