In complex or high-risk environments, organizations often need tighter control over how long authentication sessions remain valid. Session management in Conditional Access allows administrators to restrict or re-evaluate user sessions without applying disruptive policies to all users.
Common scenarios where session controls are required include access from unmanaged or shared devices, access to sensitive data from external networks, executive or high-priority users, and critical business applications. Conditional Access session controls let you target these scenarios precisely while maintaining usability for the rest of the organization.
User sign-in frequency defines how often a user must reauthenticate when accessing a resource. By default, Microsoft Entra ID uses a rolling sign-in window of 90 days.
Although it might seem safer to prompt users for credentials more frequently, excessive prompts can increase risk. Users trained to enter credentials repeatedly may unintentionally submit them to malicious prompts. Instead, Microsoft Entra ID follows a risk-based approach: sessions remain valid unless the security posture changes.
Examples of events that automatically revoke or re-evaluate sessions include:
In short: Microsoft Entra ID avoids unnecessary reauthentication unless something meaningful changes.
The sign-in frequency control works with applications that follow OAuth 2.0 or OpenID Connect standards. This includes most Microsoft and modern SaaS applications.
SAML applications are also supported, provided they regularly redirect authentication back to Microsoft Entra ID and do not rely solely on long-lived application cookies.
Originally, sign-in frequency applied only to primary authentication. Based on customer feedback, Microsoft extended this behavior so that sign-in frequency can also re-enforce MFA.
This ensures that users are prompted for MFA again when required by policy, rather than relying indefinitely on a previously satisfied MFA challenge.
On Microsoft Entra joined, hybrid joined, or registered devices, certain device actions count as sign-in events. Unlocking a device or signing in interactively can reset the sign-in frequency timer.
Example 1:
A user signs in at 00:00 and works continuously. If the policy requires sign-in every hour, the user is prompted again at 01:00.
Example 2:
A user signs in at 00:00, locks the device at 00:30, and unlocks it at 00:45.
The next sign-in prompt occurs at 01:45, because the unlock event reset the timer.
Persistent browser sessions allow users to remain signed in after closing and reopening their browser. By default, Microsoft Entra ID allows users on personal devices to choose whether to persist the session using the “Stay signed in?” prompt.
Administrators can override this behavior using Conditional Access to force or block persistence depending on risk and device type.
Before deploying session management policies broadly, Microsoft recommends validating them using the Conditional Access What-If tool. This tool simulates sign-ins and shows how session controls will apply.
Best practice is to test new policies in a dedicated test tenant or pilot group before production rollout.
Traditional OAuth access tokens are valid for up to one hour. This creates a delay between when a security condition changes and when access is revoked.
Continuous Access Evaluation (CAE) solves this by enabling near real-time communication between Microsoft Entra ID and CAE-capable applications. Instead of waiting for token expiration, access can be revoked immediately when risk conditions change.
CAE turns access control into an ongoing conversation rather than a one-time decision.