This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 12%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL5%3C/text%3E%3C/svg%3E)
Hello,
We have detected abnormal sign-in activity that raises some concerns. One of our admins successfully logged in at 1:10 AM, but she stated in an email that it was not her. Although we have Multi-Factor Authentication (MFA) enabled for all users, the authentication method was marked as "previously satisfied" for both the first-factor requirement and the MFA requirement. This indicates that the authentication was completed in a prior session or within the token's validity period.
Upon further investigation, I found that the admin's session ID has remained unchanged for the past 30 days. This suggests that she does not log out at the end of the day or log in each morning. I confirmed this with her and other office admins, who typically work on Microsoft 365 desktop applications without logging in and out daily. When I look at remote users, they have a new session ID every day they log in.
Microsoft does not recommend signing out of Office applications. According to their guidelines:
"As a Microsoft 365 subscriber, your Office apps are activated when you sign in. We recommend that you stay signed in so you can continue to create and edit files, view your recent files, and save new and updated files to OneDrive. Signing out is not recommended unless another person wants to use this installation of Office."
However, Microsoft also advises implementing an idle session timeout for Microsoft 365. This feature automatically logs users out after a set period of inactivity, which helps protect sensitive company data and adds an extra layer of security for end users who work on non-company or shared devices. When a user reaches the idle timeout you’ve set, they receive a notification indicating that they are about to be signed out. They must select an option to stay signed in; otherwise, they will be automatically signed out of all Microsoft 365 web apps.
Here are my questions:
I am trying to determine if our admin account is compromised or if the refresh tokens automatically logged her in at 1 AM under the interactive sign-in logs without her knowledge.
Please note the blue highlight successful sign-ins were not initiated by the user and she states this was not her. No other logs for the past month show her signing in at 1 AM in the morning.
Thank you for your assistance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 89%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHE%3C/text%3E%3C/svg%3E)
Hi @LM-5132 •
Following up to see if the below suggestion was helpful. And, if you have any further query do let us know.
It did not answer my questions. I am hoping to receive more comments to help me.
Thank you
Hi @LM-5132 •
Thank you for reaching out Microsoft Q&A.
To Answer your Queries, Office admins using desktop applications within the office network don't need to sign in and out of office.com daily, As I recommend staying signed in to maintain access to Office apps. However, for added security, especially when handling sensitive data, it's advisable to implement an idle session timeout.
Similarly, when accessing Microsoft 365 SaaS via a browser within the office network, there’s no need to sign in and out every day as long as the session stays active. Again, implementing an idle session timeout can improve security, just like with desktop applications.
Best Regards,
Harshitha Eligeti.
Hi @LM-5132 •
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Hi @LM-5132 •
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Your admins should not be using the same account for "regular" tasks, such as working with documents, and admin tasks, unless you leverage PIM. In any case, those do seem normal, she likely left a browser window opened overnight. If you are concerned about potential compromise, check the M365 audit logs for any suspicious activities by the same user (within or outside this timeframe).
I agree with you, and we are working on implementing the separation of duties. I checked the audit logs, and I did not find any obvious signs of malicious activity. However, it's important to remember that the goal of many breaches is to go undetected while gathering and exfiltrating data.
That said, I am seeking clarification on my earlier questions regarding daily login and logout. As a remote worker, I must log in daily. Office workers inside the office network use desktop apps and cloud apps. Microsoft does not recommend logging out of desktop apps but does recommend logging out of browser and web apps.
I am unsure if office workers need to log out of office.com every day and log into office.com every morning.
Thank you for the help.
If you want to go that route, the best option is via Conditional access policies: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-session-lifetime#user-sign-in-frequency
