CA-11: Enforce Session Lifetime Limits for Guests and Admins
Overview
This guide walks you through configuring session lifetime limits using Conditional Access sign-in frequency controls, with a focus on the two elevated-risk populations this control targets: guests and administrators. Session lifetime limits force these users to re-authenticate after a specified period, reducing the window of exposure from stolen tokens or compromised sessions.
Control ID: CA-11 Category: Conditional Access Severity: High License Required: Microsoft Entra ID P1 (included in Microsoft 365 Business Premium, E3, E5)
Expected State
- Sign-in frequency is enforced via Conditional Access for high-risk scenarios
- Guest user sessions expire within 24 hours
- Admin sessions expire within 8 hours
- Persistent browser sessions are disabled for guest access
Why guests and admins: Guests and admins represent elevated risk. Guest accounts access your data from unmanaged devices; limiting session lifetime reduces exposure if credentials are compromised. Admin sessions should be short-lived. Regular users on managed devices can have longer sessions to avoid productivity impact.
Why This Matters
By default, Microsoft Entra ID refresh tokens are valid for up to 90 days. This means:
- Token theft exposure - Stolen tokens can provide access for up to 90 days
- Terminated employees - Access may persist long after account should be disabled
- Compliance gaps - Many regulations require more frequent authentication
- Stale sessions - Long-lived sessions may not reflect current user context
Session lifetime limits reduce these risks by forcing periodic re-authentication.
Prerequisites
Required Roles
You need one of the following Entra ID roles:
- Conditional Access Administrator (recommended)
- Security Administrator
- Global Administrator
Required Licenses
- Microsoft Entra ID P1 or higher
- Included in: Microsoft 365 Business Premium, E3, E5, or standalone Entra ID P1/P2
Pre-Configuration Requirements
Before configuring session limits:
- MFA registered users - Users will be prompted more frequently
- Emergency access accounts - Must be excluded
- User communication - Notify users about increased authentication prompts
Time Estimate
| Task | Duration |
|---|---|
| Policy planning | 30 minutes |
| Policy creation | 15-20 minutes |
| Testing | 1-2 hours |
| User communication | 30 minutes |
| Total | 2-4 hours |
Recommended Session Lifetimes
Choose session lifetimes based on user roles and risk:
By User Type
| User Type | Sign-In Frequency | Persistent Browser |
|---|---|---|
| Guest Users | 24 hours (maximum for this control) | Never persistent (required) |
| General Users | 7-14 days | Never persistent |
| Users on Unmanaged Devices | 1-8 hours | Never persistent |
| Administrators | 8 hours (maximum for this control) | Never persistent |
| Global Administrators | 1-4 hours | Never persistent |
| High-Security Users | Every time | Never persistent |
By Application
| Application Type | Sign-In Frequency |
|---|---|
| General productivity (M365) | 14 days |
| Sensitive applications | 8 hours |
| Admin portals | 4 hours |
| Financial/HR systems | 1 hour |
Step-by-Step Instructions
Part 1: General User Session Limits
Create a baseline policy for all users.
Step 1: Navigate to Conditional Access
- Sign in to the Microsoft Entra admin center
- Navigate to Protection > Conditional Access > Policies
- Click + New policy
Step 2: Create Baseline Policy
- Name:
Session Lifetime - General Users
Users:
- Include: All users
- Exclude: Emergency access accounts, Admin role groups (separate policy)
Cloud Apps:
- Include: All cloud apps
Conditions:
- Leave unconfigured (applies everywhere)
Grant:
- Grant access (no additional requirements for this policy)
Session:
- Check Sign-in frequency
- Set: 14 days (or your chosen baseline)
- Check Persistent browser session
- Select: Never persistent
Enable:
- Select On
- Click Create
Part 2: Administrator Session Limits
Create stricter limits for administrators.
Step 1: Create Admin Policy
- Click + New policy
- Name:
Session Lifetime - Administrators
Users:
- Include: Select users and groups > Directory roles
- Select all admin roles:
- Global Administrator
- Security Administrator
- Privileged Role Administrator
- Conditional Access Administrator
- Exchange Administrator
- SharePoint Administrator
- (Add all relevant admin roles)
- Exclude: Emergency access accounts
Cloud Apps:
- Include: All cloud apps
Conditions:
- Leave unconfigured
Grant:
- Grant access
- Require multifactor authentication (recommended for admins)
Session:
- Check Sign-in frequency
- Set: 8 hours (this control's maximum for admins; use 4 hours or less for Global Administrators)
- Check Persistent browser session
- Select: Never persistent
Enable:
- Select On
- Click Create
Part 3: Guest User Session Limits
Guests access your data from devices you do not manage, so their sessions must be short and non-persistent. This part is required for CA-11.
Step 1: Create Guest Session Policy
- Click + New policy
- Name:
Session Lifetime - Guest Users
Users:
- Include: Guest or external users > select All guest and external users (B2B collaboration and B2B direct connect guests)
- Exclude: Emergency access accounts
Cloud Apps:
- Include: All cloud apps
Conditions:
- Leave unconfigured (applies to all guest sign-ins)
Grant:
- Grant access
- Require multifactor authentication (recommended for guests - see EXT-02)
Session:
- Check Sign-in frequency
- Set: 24 hours (this control's maximum for guests)
- Check Persistent browser session
- Select: Never persistent (required for guests - do not allow "Always persistent")
Enable:
- Select On
- Click Create
Guests will now re-authenticate at least once every 24 hours and cannot keep a persistent browser session.
Part 4: Unmanaged Device Session Limits
Create stricter limits for personal/unmanaged devices.
Step 1: Create Unmanaged Device Policy
- Click + New policy
- Name:
Session Lifetime - Unmanaged Devices
Users:
- Include: All users
- Exclude: Emergency access accounts
Cloud Apps:
- Include: All cloud apps
Conditions:
-
Click Filter for devices
-
Set Configure to Yes
-
Select Include filtered devices in policy
-
Add rule:
device.isCompliant -ne TrueOr simpler approach:
-
Click Device state (legacy)
-
Configure: Yes
-
Include: All device states
-
Exclude: Device Hybrid Azure AD joined, Device marked as compliant
Grant:
- Grant access (or require MFA for additional security)
Session:
- Check Sign-in frequency
- Set: 1 hour (or 8 hours for less restrictive)
- Check Persistent browser session
- Select: Never persistent
Enable:
- Select On
- Click Create
Part 5: Sensitive Application Limits
Create specific limits for sensitive applications.
Step 1: Create Sensitive App Policy
- Click + New policy
- Name:
Session Lifetime - Sensitive Applications
Users:
- Include: All users
- Exclude: Emergency access accounts
Cloud Apps:
- Include: Select apps
- Add sensitive applications:
- Azure Portal (for Azure access)
- Financial applications
- HR applications
- Custom LOB applications with sensitive data
Conditions:
- Leave unconfigured
Grant:
- Grant access
- Require multifactor authentication
Session:
- Check Sign-in frequency
- Set: Every time (for highest security) Or set: 1 hour (for balance)
- Check Persistent browser session
- Select: Never persistent
Enable:
- Select On
- Click Create
Understanding Sign-In Frequency Behavior
How Sign-In Frequency Works
- User authenticates and receives tokens
- Tokens are valid for normal duration
- When sign-in frequency interval expires, user must re-authenticate
- Re-authentication may be silent (PRT) or interactive (MFA prompt)
Silent vs. Interactive Re-Authentication
Silent (SSO) Re-authentication:
- User has valid Primary Refresh Token (PRT)
- Device is Entra ID joined/registered
- User may not notice re-authentication
Interactive Re-authentication:
- User must enter credentials
- MFA prompt may appear
- Occurs when PRT is invalid or policy requires it
"Every Time" Option
Setting sign-in frequency to "Every time":
- Forces authentication on every access
- Most secure but most friction
- Use for highly sensitive applications only
- Does not mean MFA every time (unless MFA is also required)
Verification Checklist
After configuring session lifetime policies:
Policy Verification
- Guest user policy created (sign-in frequency 24 hours, never persistent)
- Administrator policy created (sign-in frequency 8 hours or less)
- General user policy created with appropriate frequency
- Unmanaged device policy created (if needed)
- Sensitive application policies created (if needed)
- Persistent browser sessions are disabled for guests
- Emergency access accounts excluded from all policies
Functional Testing
-
Test General User:
- Sign in as test user
- Wait for configured interval (or use short interval for testing)
- Verify re-authentication prompt appears
-
Test Administrator:
- Sign in with admin account
- Verify stricter session limits apply
- Confirm MFA is prompted if configured
-
Test Unmanaged Device:
- Sign in from non-compliant device
- Verify shorter session limit applies
- Confirm browser session is not persistent
Sign-In Log Verification
- Navigate to Entra admin center > Monitoring > Sign-in logs
- Review recent sign-ins
- Check Conditional Access tab for policy application
- Verify sign-in frequency policy is applied
Troubleshooting
Users Not Being Re-Prompted
Symptom: Users are not prompted to re-authenticate at expected intervals.
Solutions:
- Verify policy is enabled (not Report-only)
- Check if user is excluded from policy
- Sign-in frequency requires the user to close and reopen the app/browser
- Silent SSO may complete without visible prompt
- Clear browser cookies to force interactive auth
Users Prompted Too Frequently
Symptom: Users are prompted more often than configured.
Solutions:
- Check for multiple overlapping policies
- Verify the correct frequency is set
- Check if other policies require MFA (may cause additional prompts)
- Review if app is configured for single sign-on
Persistent Browser Session Not Working
Symptom: Users remain signed in despite "Never persistent" setting.
Solutions:
- Clear browser cookies and cache
- Check for browser extensions saving sessions
- Verify policy is enabled and applies to the user
- Test in incognito/private mode
Different Behavior on Different Devices
Symptom: Session limits differ between devices.
Solutions:
- Check if device-specific policies exist
- Verify device compliance status
- Managed devices may have silent SSO extending apparent session
- Review all applicable Conditional Access policies
Emergency Access Blocked
Symptom: Emergency access accounts are affected by session limits.
Solutions:
- Verify emergency accounts are in the exclusion list
- Check for typos in excluded account UPNs
- Ensure exclusion group membership is correct
- Test emergency account access
Policy Configuration Summary
General Users Policy
| Setting | Value |
|---|---|
| Policy Name | Session Lifetime - General Users |
| Users - Include | All users |
| Users - Exclude | Emergency access accounts, Admin groups |
| Cloud Apps | All cloud apps |
| Session - Sign-in frequency | 14 days |
| Session - Persistent browser | Never persistent |
| Enable Policy | On |
Guest Users Policy
| Setting | Value |
|---|---|
| Policy Name | Session Lifetime - Guest Users |
| Users - Include | All guest and external users |
| Users - Exclude | Emergency access accounts |
| Cloud Apps | All cloud apps |
| Grant | Require MFA (recommended) |
| Session - Sign-in frequency | 24 hours |
| Session - Persistent browser | Never persistent |
| Enable Policy | On |
Administrator Policy
| Setting | Value |
|---|---|
| Policy Name | Session Lifetime - Administrators |
| Users - Include | Directory roles (all admin roles) |
| Users - Exclude | Emergency access accounts |
| Cloud Apps | All cloud apps |
| Grant | Require MFA |
| Session - Sign-in frequency | 8 hours (4 hours or less for Global Administrators) |
| Session - Persistent browser | Never persistent |
| Enable Policy | On |
Unmanaged Device Policy
| Setting | Value |
|---|---|
| Policy Name | Session Lifetime - Unmanaged Devices |
| Users - Include | All users |
| Users - Exclude | Emergency access accounts |
| Cloud Apps | All cloud apps |
| Conditions | Non-compliant devices |
| Session - Sign-in frequency | 1 hour |
| Session - Persistent browser | Never persistent |
| Enable Policy | On |
Balancing Security and User Experience
Considerations
- Shorter sessions = More security, More friction
- Longer sessions = Less security, Better experience
Finding the Right Balance
- Assess risk: What's the impact of a compromised session?
- Consider users: How will increased prompts affect productivity?
- Layer controls: Use other controls (MFA, device compliance) to reduce need for short sessions
- Monitor feedback: Adjust based on user complaints and security incidents
Recommended Approach
- Start with moderate limits (14 days for general, 8 hours for admins)
- Monitor for 30 days
- Review sign-in logs and user feedback
- Adjust as needed
- Tighten limits where risk warrants
Integration with Other Controls
Continuous Access Evaluation (CAE)
CAE complements session limits by:
- Revoking tokens immediately on critical events
- Enforcing location changes
- Reducing effective token lifetime
With CAE, you may not need extremely short session limits.
Token Protection
Token protection binds tokens to devices, making stolen tokens unusable. This reduces (but doesn't eliminate) the need for short session limits.
MFA
Combining session limits with MFA ensures:
- Users must re-authenticate periodically
- Re-authentication requires MFA
- Stolen passwords alone are insufficient
Compliance Considerations
Some regulations require session timeouts:
| Standard | Session Requirement |
|---|---|
| HIPAA | Automatic logoff (no specific time) |
| PCI-DSS | 15-minute inactivity timeout for cardholder data |
| NIST 800-53 | Session termination based on risk |
| ISO 27001 | Defined session timeout policy |
Configure session limits to meet your compliance requirements.
Related Controls
- CA-07: Session Controls (comprehensive session management)
- CA-10: Token Protection (device binding)
- PA-07: Continuous Access Evaluation (real-time revocation)
- CA-02: Admin MFA (combined with session limits for admins)