![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,961 questions
Hi @Anonymous • Thank you for reaching out.
- If you are using KMSI (Keep Me Signed In) option, which issues persistent session cookie, sessions cookies are NOT expired when browser is closed.
- If the devices are Azure AD Registered/Joined/Hybrid-Joined, PRT (Primary Refresh Token) is issued to device, which is leveraged to provide seamless SSO experience to the users when they close and reopen the browser.
- When KMSI is not used, session cookies expire when browser session is closed.
If you are in any of the above scenarios, you can configure below settings in conditional access policy.
- Include all users or required set of users
- Include Office 365 under cloud apps
- Exclude the subnet(s) that represent your office IP addresses and Include all locations
- Under sessions > select checkbox for sign-in frequency > set a time e.g. 3 Hour.
Conditional access policy with above settings configured, would require users to sign-in after every 3 hours when they are out of the office network.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.