CA-11: Enforce Session Lifetime Limits for Guests and Admins
Frequently asked questions about implementing and managing the CA-11 security control in Microsoft 365 and Entra ID.
QWhat is CA-11 (Enforce Session Lifetime Limits for Guests and Admins)?▼
CA-11 is a security control that guests and admins represent elevated risk. guest accounts access your data from unmanaged devices; limiting session lifetime reduces exposure if credentials are compromised. admin sessions should be short-lived. regular users on managed devices can have longer sessions to avoid productivity impact. It requires that sign-in frequency is enforced via conditional access for high-risk scenarios and guest user sessions expire within 24 hours, admin sessions expire within 8 hours, persistent browser sessions are disabled for guest access.
QWhy is Enforce Session Lifetime Limits for Guests and Admins important for Microsoft 365 security?▼
Guests and admins represent elevated risk. Guest accounts access your data from unmanaged devices; limiting session lifetime reduces exposure if credentials are compromised. Admin sessions should be short-lived. Regular users on managed devices can have longer sessions to avoid productivity impact.
QHow do I implement CA-11 in my tenant?▼
TrueConfig provides one-click remediation for CA-11. Creates Conditional Access policies with sign-in frequency for guests (24h) and admins (8h)
QWhat license do I need for CA-11?▼
This control requires Azure AD Premium P1 (included in Microsoft 365 E3) or higher.
QWhich security baseline includes CA-11?▼
CA-11 is included in the TrueConfig Recommended Secure baseline (Level 1). This is the foundation level suitable for most organizations.
5
Questions
1
Related Controls
—
Categorized
Related Resources
Still have questions?
Our security experts are here to help. Start a free trial and get personalized guidance for your Microsoft 365 environment.
Start Free Trial