Forum Discussion
Session - Sign-in frequency best practice
I am looking for any best practice when it comes to how often we should prompt users to sign in again and also validate with the help of MFA. I can not find any documentation that suggest how we s...
I'm not sure there's a best practice as it's depending on the business use case. The default config is a rolling window of 90 days.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime#user-sign-in-frequency
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime#user-sign-in-frequency
Thank you for the response @Christian. I am fully aware of the default configuration. How would you suggest on building a business use case?
I have been trying to look into different ISO standards but can not find any documentation pointing out how often users should get prompted for MFA, especialy administrators.
do you have any personal recommendations?
I am currently doing some re-search for my organisation and from my experience i would like to set the Sign-in frequency to:
9h (1 work-day) for Priviliged roles
5 days for regular users (regular work-week), this would also regulate itself back to mondays if there were to be a holiday in the begining of the week.
I have been trying to look into different ISO standards but can not find any documentation pointing out how often users should get prompted for MFA, especialy administrators.
do you have any personal recommendations?
I am currently doing some re-search for my organisation and from my experience i would like to set the Sign-in frequency to:
9h (1 work-day) for Priviliged roles
5 days for regular users (regular work-week), this would also regulate itself back to mondays if there were to be a holiday in the begining of the week.
- You should involve your business here. Not sure it will be well received if making it mandatory with such short interval for regular users. Sounds as if you're in a highly regulated environment.
- I totaly agree with involving the business, but I would like to find some hard-facts on "this is the approach" or "this is what you should do" or "this is the recommended settings".
johos I'm wondering the same thing as you. Microsoft gives some vague guidance and explains how it works, but doesn't perscribe best practice policies for those of us using Conditional Access. Should I have a policy specifying sign-in frequency? If so, how often should I require users to sign in?
