Forum Discussion
Session - Sign-in frequency best practice
I am looking for any best practice when it comes to how often we should prompt users to sign in again and also validate with the help of MFA. I can not find any documentation that suggest how we s...
I totaly agree with involving the business, but I would like to find some hard-facts on "this is the approach" or "this is what you should do" or "this is the recommended settings".
johos I'm wondering the same thing as you. Microsoft gives some vague guidance and explains how it works, but doesn't perscribe best practice policies for those of us using Conditional Access. Should I have a policy specifying sign-in frequency? If so, how often should I require users to sign in?
- johos, from the ISO audits I've been in, we haven't been asked about how often they're required to reauthenticate, just that it's enabled. Id only really care about the sign-in frequency and never persistent sessions personally for devices that are not hybrid joined or compliant, obviously with a CA for either of the two requiring it.
The conditional access template under Zero Trust called 'no persistent browser session' can get this sorted for you, it also has the sign in frequency of 1 hour. AlexR91, that might help you in terms of a policy specifying it.
