Forum Discussion

StuartK73's avatar
StuartK73
Iron Contributor
Mar 19, 2025

Sign-in Frequency Policy for Office / FLW's

Hi All

 

I hope you are well.

 

Anyway, I'm a bit confused with the Conditional Access Sign-in Frequency Session Control and MFA.

 

Info here:

 

https://learn.microsoft.com/en-us/entra/identity/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime#recommended-settings

 

 

 

So, what would be a good recommendation for:

 

  • Office staff (M365 E3 license)
  • Front Line Worker's (F3 license)

And am I correct in saying that this includes MFA and that the default MFA period is 90 days

 

Any help or advice on a good workable setting would be greatly appreciated.

 

Stuart

Access Management
Authentication
Conditional Access
Identity Management
MFA
Microsoft Authenticator
  • micheleariis's avatar
    micheleariis
    Steel Contributor
    Mar 20, 2025

    Hi, from my experience, finding the right balance between security and usability with the Sign-in Frequency policy is key. For Office staff with an M365 E3 license, I’ve found that setting the re-authentication frequency (including the MFA prompt when enabled) to around every 8-12 hours works well. It provides a good level of security without significantly disrupting daily work.

    For Front Line Workers with an F3 license, given their dynamic work environments and the need for continuous access from various locations, a shorter interval—perhaps every 4-6 hours—seems to be more effective. Of course, these intervals can be fine-tuned based on the specific needs of your organization.

    Regarding MFA, my understanding is that the Sign-in Frequency policy does indeed include MFA. It’s not that there's a default 90-day MFA period; rather, that 90-day figure relates to the authentication token’s lifetime. The frequency at which users are prompted for re-authentication (and thus MFA) is governed by your configured policy settings.

    • StuartK73's avatar
      StuartK73
      Iron Contributor
      Mar 24, 2025

      Hi Buddy

       

      Many thanks for your quick and informative reply.

       

      So, you reckon:

       

      • Office staff (M365 E3 license) - Sign-in frequency / MFA = 1 Day
      • Front Line Worker's (F3 license) - Sign-in frequency / MFA = 4-6 Hours

       

      This is where the confusion arises for me, as places like the National Cyber Security Centre (NCSC) recommend avoiding "anti MFA" or "MFA saturation patterns. For example:

       

      "You should only require your users to re-authenticate when there is a need to regain assurance. For example, when performing a high-risk action or when re-building trust in a user’s digital identity (after a suspected breach of their account and/or device)."

       

      https://www.ncsc.gov.uk/collection/mfa-for-your-corporate-online-services/avoiding-mfa-anti-patterns

       

      Stuart

Resources