Browser Sessions shall not be persistent for privileged users

Description

To reduce the risk of credential theft during user sessions, disallow persistent browser sessions for highly privileged users.

Policy

Highly privileged users shall not have persistent browser sessions.

Licensing Considerations

Azure AD P1. Can be purchased standalone or part of the following bundles:

Microsoft 365 Business Premium
EMS+ E3 or EMS + E5
Microsoft 365 E3
Microsoft 365 E5

Set Up Instructions

Create a conditional access policy for Persistent Browser sessions: Configure authentication session management - Azure Active Directory - Microsoft Entra | Microsoft Learn
Under Users>Include<Select Users and Groups, choose Directory Roles.
Configure highly privileged Directory Roles

End-User Impact

Level: Medium

Since this will be only scoped to privileged roles, the impact will be limited. The severity of impact is increased to medium since it does require the scoped users to reauthenticate once every time the user closes and reopens the browser.

Tips

This is a policy that you could scope additionally to guest users and for external access on personal devices that are not MDM or MAM enrolled.

PowerShell Scripts

None Currently

Videos

None Currently

PreviousHigh Risk Sign-Ins Shall Be Blocked NextMFA shall be required to enroll devices to Azure AD

Last updated 10 months ago