Session Policies
Control user session behavior including token lifetime, persistent sessions, and sign-in frequency through Conditional Access.
Session Controls
| Control | Description |
|---|---|
| Sign-in frequency | How often users must re-authenticate |
| Persistent browser | Remember sign-in across browser sessions |
| Continuous access evaluation | Real-time policy enforcement during sessions |
| Customizable token lifetime | Configure access and refresh token durations |
Recommended Settings
- High-risk apps — Re-authenticate every 1 hour
- Standard apps — Re-authenticate every 8 hours
- Low-risk apps — Persistent sessions with CAE
- Unmanaged devices — No persistent sessions
Continuous Access Evaluation
CAE enables near real-time policy enforcement by:
- Revoking tokens when user risk changes
- Enforcing location policy changes immediately
- Responding to password changes and account disabling
API Reference
GET /api/security/session-policies— Get session policiesPUT /api/security/session-policies— Update policies
Last updated on