Browser Sessions shall not be persistent for privileged users
Description
To reduce the risk of credential theft during user sessions, disallow persistent browser sessions for highly privileged users.
Policy
Highly privileged users shall not have persistent browser sessions.
Licensing Considerations
Azure AD P1. Can be purchased standalone or part of the following bundles:
Microsoft 365 Business Premium
EMS+ E3 or EMS + E5
Microsoft 365 E3
Microsoft 365 E5
Set Up Instructions
Create a conditional access policy for Persistent Browser sessions: Configure authentication session management - Azure Active Directory - Microsoft Entra | Microsoft Learn
Under Users>Include<Select Users and Groups, choose Directory Roles.
Configure highly privileged Directory Roles
End-User Impact
Level: Medium
Since this will be only scoped to privileged roles, the impact will be limited. The severity of impact is increased to medium since it does require the scoped users to reauthenticate once every time the user closes and reopens the browser.
Tips
This is a policy that you could scope additionally to guest users and for external access on personal devices that are not MDM or MAM enrolled.
PowerShell Scripts
None Currently
Videos
None Currently
Last updated