Medium

No CA policy enforces sign-in frequency

No enabled Conditional Access policy configures a sign-in frequency session control, meaning tokens may remain valid indefinitely.

Category: Authentication
Default severity: Medium
Rule key: CHECK_CA_SIGN_IN_FREQUENCY
Last updated: April 17, 2026

How to fix it

Configure sign-in frequency for privileged roles and sensitive applications to force periodic re-authentication and limit token replay risk.

Required Microsoft Graph permissions

EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:

Policy.Read.All

Further reading

Microsoft documentation →

Run this check on your tenant

EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.

Get started — free first scan →