Share via

Session Duration

Glenn Maxwell 13,491 Reputation points
2026-04-04T08:57:54.4933333+00:00

Hi All,

I have been asked to implement the following changes and would appreciate guidance on the potential concerns and benefits of enabling these policies. For context, we are using Okta as our SSO and MFA provider, and we have an Exchange hybrid environment. we create users in onprem and migrate to exchange online. Users are licensed with Microsoft 365 E5.

Conditional Access Policy:  
Create a "Session Duration" policy by going to Entra ID Conditional Access -> +New Policy   
Set audience --> all users   
Set access control: "Session" --> set Sign in frequency to 4 or less   
Set "Enable policy" to "On"

Could someone please share insights on the security impact versus user experience trade-offs of implementing this policy, particularly in a hybrid setup with Okta as the identity provider?

Exchange Online
Exchange Online

A cloud-based service included in Microsoft 365, delivering scalable messaging and collaboration features with simplified management and automatic updates.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jayden-P 18,565 Reputation points Microsoft External Staff Moderator
    2026-04-04T09:39:43.4666667+00:00

    Hi @Glenn Maxwell

    You can refer to the Q&A's answer for some helpful insights. This the list of supported apps:

    User's image

    You set the value to 4, is it 4 hours or 4 days?

    The upside of this control is to enhance security, provide a stronger posture on high‑risk or unmanaged access. You can read here for more details: Conditional Access adaptive session lifetime policies - Microsoft Entra ID | Microsoft Learn

    When enforced to all users with 4 hours, this policy often causes noticeable friction:

    • Frequent MFA prompts during normal work hours

    MFA prompts triggered by Outlook or Teams background token refresh

    • Mobile users (iOS/Android) experiencing repeated sign‑ins or MFA loops

    Another caution is:

    User's image

    Instead of a tenant‑wide 4‑hour policy, a more balanced design is typically more successful:

    • Normal users: sign‑in frequency (for example 24–72 hours)
    • High‑risk or sensitive access short frequency (4 hours or “Every time”), scoped by: Device state/Location/User or sign‑in risk/Admin roles.

    I hope this information helps.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Q&A Assist
    2026-04-04T08:58:13.4666667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Setting a Conditional Access sign-in frequency policy to 4 hours or less for all users increases security but can significantly impact user experience, especially in a hybrid environment and when Okta is the primary IdP.

    Key technical behavior

    • Sign-in frequency controls how often users must reauthenticate when a new access token is requested for Microsoft Entra–protected resources such as Exchange Online and SharePoint Online.
    • Users are prompted only when a new access token is requested; simply closing and reopening the browser does not always cause a prompt if the token is still valid.
    • When “Every time” is used, reauthentication is enforced whenever the session is evaluated, with a minimum of 5 minutes between prompts to avoid excessive looping. With “Periodic reauthentication” (for example, 4 hours), prompts occur when a token older than that period is needed.
    • For Microsoft 365 apps, it is recommended to keep sign-in frequency consistent across key apps like Exchange Online and SharePoint Online for a better user experience.

    Security benefits

    1. Reduced window for token misuse
      • Shorter sign-in frequency limits how long a stolen or replayed token can be used.
      • Particularly valuable for unmanaged or personal devices where the OS lock/MFA posture is weaker.
    2. Stronger posture for risky users and sessions
      • Sign-in frequency can be combined with risk-based policies (for example, “Every time” for high sign-in or user risk) to force MFA and/or password change when risk is elevated.
      • This is aligned with recommended patterns such as requiring reauthentication every time for high-risk users or sign-ins.
    3. Better control over access from non-compliant devices
      • When combined with device-based conditions and session controls, shorter lifetimes help ensure that access from non-compliant or non-domain-joined devices is regularly revalidated.

    User experience and operational trade-offs

    1. Increased authentication prompts
      • A 4-hour or shorter sign-in frequency means users may see prompts multiple times per day across Exchange Online, SharePoint Online, Teams, and other Microsoft 365 apps.
      • For web apps, this is usually less disruptive; for rich clients (Outlook, Teams desktop) it can be more intrusive.
    2. MFA fatigue and friction
      • Frequent prompts can cause MFA fatigue and make users more likely to approve malicious prompts, weakening overall security.
      • Guidance explicitly warns that requiring reauthentication too frequently can increase friction and open the door to phishing.
    3. Risk of sign-in loops
      • Using “Every time” without MFA can cause sign-in looping behavior for users.
      • Even with periodic reauthentication, misalignment between Okta session lifetime and Entra sign-in frequency can create confusing re-prompt patterns.
    4. Hybrid and Okta-specific considerations
      • In a hybrid setup with Okta as the primary SSO/MFA provider, users may:
        • Authenticate to Okta (primary session) and then to Microsoft Entra (federated or downstream session).
        • Experience multiple layers of prompts if Okta session lifetime and Entra sign-in frequency are not aligned.
      • If Okta sessions are long-lived but Entra sign-in frequency is short, users may be redirected to Okta frequently. If Okta silently reauthenticates, prompts may be minimal; if not, users will see frequent Okta MFA challenges.
    5. Impact on Windows 365 / AVD (if used)
      • For Windows 365 and Azure Virtual Desktop, sign-in frequency affects when reauthentication is required for listing Cloud PCs, initiating actions, or connecting to the gateway. Short intervals can disrupt workflows if users are frequently reconnecting.

    Recommended patterns and mitigations

    1. Prefer time-based sign-in frequency for Microsoft 365 apps
      • Use “Periodic reauthentication” (for example, several hours or days) rather than “Every time” for core Microsoft 365 apps to balance security and usability.
      • Keep the same frequency for Exchange Online and SharePoint Online to avoid inconsistent prompts.
    2. Use stricter settings only for high-risk scenarios
      • Apply “Every time” or very short intervals only to:
        • High sign-in risk or high user risk (for example, via risk-based Conditional Access policies).
        • Sensitive admin portals (Azure portal, Entra admin center) or privileged roles, potentially combined with PIM activation.
    3. Combine with device-based controls
      • For unmanaged or non-compliant devices, use Conditional Access filters and session controls (shorter sign-in frequency, non-persistent browser sessions) to tighten access.
      • For managed/compliant devices, allow longer sign-in frequency to reduce friction.
    4. Test and roll out gradually
      • Follow guidance to test in a non-production or pilot environment first, using report-only mode to understand impact before enforcing.
      • Monitor sign-in logs and user feedback to adjust the interval.

    Summary of trade-off

    • Security: A 4-hour or shorter sign-in frequency improves security by limiting token lifetime and forcing regular revalidation, especially useful for unmanaged devices and high-risk users.
    • User experience: It increases prompts and can cause MFA fatigue, especially in a hybrid Okta + Entra environment where users may see both Okta and Microsoft prompts. Careful scoping (by risk, device, and app) and alignment with Okta session policies are critical to avoid excessive friction.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.