Forum Discussion
Session - Sign-in frequency best practice
I am looking for any best practice when it comes to how often we should prompt users to sign in again and also validate with the help of MFA. I can not find any documentation that suggest how we s...
Thank you for the response @Christian. I am fully aware of the default configuration. How would you suggest on building a business use case?
I have been trying to look into different ISO standards but can not find any documentation pointing out how often users should get prompted for MFA, especialy administrators.
do you have any personal recommendations?
I am currently doing some re-search for my organisation and from my experience i would like to set the Sign-in frequency to:
9h (1 work-day) for Priviliged roles
5 days for regular users (regular work-week), this would also regulate itself back to mondays if there were to be a holiday in the begining of the week.
I have been trying to look into different ISO standards but can not find any documentation pointing out how often users should get prompted for MFA, especialy administrators.
do you have any personal recommendations?
I am currently doing some re-search for my organisation and from my experience i would like to set the Sign-in frequency to:
9h (1 work-day) for Priviliged roles
5 days for regular users (regular work-week), this would also regulate itself back to mondays if there were to be a holiday in the begining of the week.
You should involve your business here. Not sure it will be well received if making it mandatory with such short interval for regular users. Sounds as if you're in a highly regulated environment.
- I totaly agree with involving the business, but I would like to find some hard-facts on "this is the approach" or "this is what you should do" or "this is the recommended settings".
johos I'm wondering the same thing as you. Microsoft gives some vague guidance and explains how it works, but doesn't perscribe best practice policies for those of us using Conditional Access. Should I have a policy specifying sign-in frequency? If so, how often should I require users to sign in?
- johos, from the ISO audits I've been in, we haven't been asked about how often they're required to reauthenticate, just that it's enabled. Id only really care about the sign-in frequency and never persistent sessions personally for devices that are not hybrid joined or compliant, obviously with a CA for either of the two requiring it.
The conditional access template under Zero Trust called 'no persistent browser session' can get this sorted for you, it also has the sign in frequency of 1 hour. AlexR91, that might help you in terms of a policy specifying it.
