Conditional Access Policy - Sign-in Frequency enabled.

Brass Contributor

On the Security Score dashboard, I have a recommendation:

Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
Forcing a time out for MFA will help ensure that sessions are not kept alive for an indefinite period of time, ensuring that browser sessions are not persistent will help in prevention of drive-by attacks in web browsers, this also prevents creation and saving of session cookies leaving nothing for an attacker to take.


The implementation indicates to create a new CA policy; it provides the settings; and provides the minimum number of roles to apply it to.


I have created the CA weeks ago and the points were never applied. This still shows as a recommendation.


The implementation status says this:

Setting is: sign in frequency is not yet enabled in the following accounts: "BLOCK - CA003: Block legacy authentication", "BLOCK - Risky Countries and Attackers", "ALL - CA004: Require MFA for all users" and 18 Additional accounts. Please go to "Implementation" tab to view the required steps to enable the setting.


#1 -- these are not ACCOUNTS it is listing they are CA policies.

#2 - implementation steps indicate to create a NEW CA policy, not edit every existing CA policy.


I am wondering if anyone has been able to get this a CA policy to work (apply the points and remove the recommendation)?

0 Replies