New Microsoft Entra ID Policy Mandates Fresh Logins for Sensitive Actions
Microsoft introduces new layer of protection with Entra ID reauthentication policy.
Published: Apr 22, 2025
Key Takeaways:
- Microsoft’s new Reauthentication Every Time Policy requires reauthentication for specific actions.
- This feature enhances security for sensitive applications and privileged operations.
- The policy supports scenarios like securing VPN access and Azure Virtual Desktop logins.
Microsoft has announced the general availability of its Conditional Access Reauthentication Every Time Policy for Entra ID customers—a new feature that enables administrators to enforce fresh user authentication for specific actions. This policy ensures tighter control over access to sensitive resources and user activities.
When the “Every Time” setting is enabled, users must fully reauthenticate each time their session is evaluated. However, simply closing and reopening the browser during the session won’t trigger an immediate reauthentication. Microsoft says that this setting works best when the resource can detect when a new token is needed. Once a session expires, the user is redirected back to Microsoft Entra for authentication.
Use cases for new Microsoft Entra ID policy
Microsoft mentioned that fresh authentication could be required in various scenarios, including accessing sensitive applications, securing privileged role elevation in PIM, and securing resources behind VPN or Network as a Service (NaaS) providers. Customers might also want to require a fresh authentication for protecting user sign-ins to Azure Virtual Desktop machines, protecting risky users and risky sign-ins identified by Microsoft Entra ID Protection, and securing sensitive user actions like Microsoft Intune enrollment.
Microsoft recommends that IT admins carefully select which applications should require reauthentication every time. Keep in mind that overusing this setting can lead to MFA fatigue, which may increase security risks.
“Web applications usually provide a less disruptive experience than their desktop counterparts when require reauthentication every time is enabled. We factor for five minutes of clock skew when every time is selected in policy, so that we don’t prompt users more often than once every five minutes,” Microsoft explained.
Microsoft recommends that administrators use time-based user sign-in frequency for applications within the Microsoft 365 suite. This means that users will be prompted to sign in again after a specific time period (e.g., every 24 hours).
Additionally, Microsoft suggests using time-based user sign-in frequency or requiring reauthentication on PIM activation using authentication context for the Microsoft Entra admin center and the Azure portal. This helps to ensure that only authorized users can perform sensitive administrative tasks within the organization.