Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
Why This Matter
Administrative accounts with unlimited session lifetimes present a critical security gap. If an attacker compromises an active session they can maintain persistent access to privileged roles without triggering MFA prompts. Enforcing sign-in frequency limits and blocking persistent browser sessions significantly reduces the window of opportunity for session hijacking and drive by attacks.
What Aether365 Checks
Aether365 verifies that Conditional Access policies enforce a maximum sign-in frequency of 4 hours (E3 tenants) or 24 hours (E5 tenants using PIM) for administrative users, and that persistent browser sessions are set to Never persist. This check appears in the Aether365 dashboard under entra-id checks as ENTRA.1117.