Conditional Access - Sign In Frequency - Periodic reauthentication

Norman 26 Reputation points

Dear community,

our users had to re-authenticate with sign-in frequency active and set to 30 days - and I am trying to understand why. Maybe somebody experienced a similar behaviour.

We have sign-in frequency set to 30 days and it should be rolling 30 days..
But when I checked today I found a new setting "periodic reauthentication" which is active and cannot be deactivated. I am sure it was not there when we initially configured CA.

The info field still says:
"Time period before a user is asked to sign-in again when attempting to access a resource. The default setting is a rolling window of 90 days, i.e. users will be asked to re-authenticate on the first attempt to access a resource after being inactive on their machine for 90 days or longer."

I am thinking about dis-activating "Sign-In Frequency" and using the 90 days rolling windows, to prevent this errors:
"The session has expired or is invalid due to sign-in frequency checks by conditional access."
Browser: Chrome 100.0.4896
Operating System Windows 10
Compliant No
Managed No


"The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on {issueDate} and the maximum allowed lifetime for this request is {time}."
Application: Apple Internet Accounts
Operating System Ios
Compliant No
Managed No

Any Ideas?
Thank you!


Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,876 questions
{count} votes

Accepted answer
  1. Shweta Mathur 15,071 Reputation points Microsoft Employee

    Hi NormanJ-8524,

    Thanks for reaching out.

    I understood that users are forced to reauthenticate in the application every 30 days as conditional policy of 30 days has been setup in sign-in frequency as below


    This is the expected behavior for sign-in frequency if periodic reauthentication has been setup 30 days.

    As per info, The Azure AD default configuration for user sign-in frequency is a rolling window of 90 days but we can apply sign-in frequency conditional policy to asked the users to sign in again after the period which is define in "Periodic reauthentication".

    In case users need to reauthenticate after 90 days, there is no need to set sign in frequency conditional policy as this is default Azure AD behavior.

    To disable sign-in frequency to rollout every 30 days, unchecked the "Sign-in frequency" and do not configure any session control.

    Hope this will help.


    Please remember to "Accept Answer" if answer helped you.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful