🎯 Purpose
✅ Prevent privileged users (admins) from maintaining persistent browser sessions, ensuring they must re‑authenticate frequently.
➡️ Reduces the risk of token theft, session hijacking, and long‑lived administrator sessions — a key Essential Eight Maturity Level 2–3 control.
👥 Who is affected
✅ Users: All Azure AD / Entra ID administrative roles (130+ privileged roles)
🚫 Exclusions: One exception group (typically break‑glass or PAW‑trusted group)
➡️ All admins are required to re‑authenticate frequently unless explicitly excluded.
☁️ What access is protected
✅ Applications: All cloud applications
✅ Client types: Browser, mobile, desktop, CLI tools, admin portals
➡️ Persistent sessions are disabled across all admin tools, including Azure/Entra portal, Teams/Exchange/SharePoint admin centers, Intune, Defender, and enterprise apps.
🔐 How persistent sessions are controlled
✅ Persistent Browser Session:
Mode:
neverEnabled:
true
➡️ Administrators cannot keep themselves signed in across browser restarts or device reboots.
This results in:
No long‑lived cookies
No “Keep me signed in”
Forced re‑auth after browser close
Reduced exposure to cookie theft and replay attacks
ℹ️ Note
This override applies even if tenant‑wide persistent browser settings are permissive.
For privileged accounts, this CA rule always takes precedence.
⚙️ What this policy does NOT enforce
🚫 MFA requirements
🚫 Device compliance
🚫 Location restrictions
🚫 Sign‑in risk
🚫 User risk
🚫 Session duration limits (other than blocking persistence)
🚫 Authentication Strength requirements
➡️ The policy’s sole purpose is disabling persistent browser sessions for admins.
🟢 Policy status
✅ Enabled
➡️ Actively preventing persistent browser sessions for all administrative roles.
📘 Security Alignment
✅ Aligns with Microsoft privileged access security guidance (PAW, Zero Trust, CAE)
✅ Supports Essential Eight Maturity Level 2–3 by reducing privileged-session attack surface
ℹ️ Strongly recommended for admin hardening and token‑replay prevention.
📘 Practical Interpretation (Executive‑Friendly)
This Conditional Access policy ensures that:
✅ Every administrator
❌ Cannot maintain persistent sessions
➡ Must re‑authenticate whenever the browser session ends
This prevents long‑lived privileged tokens, significantly reducing risk from credential theft, replay attacks, and compromised browsers. It forms a core part of secure privileged access architecture and supports progressive Essential Eight maturity uplift.