CA-11MediumRecommended Secure
Enforce Session Lifetime Limits for Guests and Admins
Conditional Access control for Microsoft 365 and Entra ID
Why This Control Matters
Guests and admins represent elevated risk. Guest accounts access your data from unmanaged devices; limiting session lifetime reduces exposure if credentials are compromised. Admin sessions should be short-lived. Regular users on managed devices can have longer sessions to avoid productivity impact.
Expected State
When this control is compliant, your tenant should meet these criteria:
- 1Sign-in frequency is enforced via Conditional Access for high-risk scenarios
- 2Guest user sessions expire within 24 hours
- 3Admin sessions expire within 8 hours
- 4Persistent browser sessions are disabled for guest access
Enforcement
Default Mode
Advisory
Alerts on deviations but does not make changes
Auto-Remediation
Available
Creates Conditional Access policies with sign-in frequency for guests (24h) and admins (8h)
Ready to implement this control?
TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.