Back to GSO Recommendations

Disable Persistent Browser Sessions: Long-Lived Session Exposure Risk

Why this risk matters

When a user signs into Microsoft 365 in a browser and selects "Stay signed in" or uses a session cookie that persists beyond the browser close, their authenticated session remains active on that device potentially for days, weeks, or longer. On a managed corporate device this is a reasonable convenience. On a shared device, a personal machine, or any device that subsequently falls outside the organisation's control, it becomes a standing access risk.

Persistent browser sessions are particularly problematic in environments where users access Microsoft 365 from browsers on non-corporate devices — home computers, personal laptops, hotel kiosks, or borrowed devices. If the browser profile is accessible to another person, or if the device is lost or stolen, the authenticated session is immediately accessible without any additional authentication challenge.

A Conditional Access policy that disables persistent browser sessions forces re-authentication on every new browser session, ensuring that each access event requires a fresh authentication rather than relying on a potentially stale cookie.

What happens if this is abused

  • User accesses Microsoft 365 on a shared or personal device, leaves the session open, and a third party uses it without any additional authentication
  • Lost or stolen device provides immediate access to Microsoft 365 without needing the user's credentials or MFA
  • Browser session cookie stolen via malware or cross-site scripting gives attacker persistent access without triggering a new sign-in event
  • User forgets they are signed in on a device they no longer control (e.g. a repaired laptop, returned loaner device) — session remains active
  • Session persists after a password reset or MFA change, because the existing cookie remains valid until it expires

When this is expected or acceptable

Some scenarios justify persistent sessions:

  • Managed, compliant corporate devices where re-authentication on every browser session would create significant user friction with low additional security benefit, since the device itself is protected
  • Kiosk or shared device configurations that use dedicated sign-in flows rather than standard browser sessions (these should use a dedicated Conditional Access policy anyway)

The most common approach is to disable persistent sessions for unmanaged devices only — requiring re-authentication for personal or unregistered devices while allowing persistent sessions on managed, compliant corporate machines.

Checks to perform before taking action

  • Identify what proportion of your users access Microsoft 365 from unmanaged or personal devices — this affects both the risk reduction and the user experience impact
  • Check whether your existing Conditional Access policies have a session control for "Persistent browser session" and what value it is currently set to
  • Consider whether to apply this broadly or only to unmanaged/non-compliant devices
  • Deploy in Report-only mode and assess how many active sessions would be affected
  • Communicate to users that they will need to sign in at the start of each browser session if they are accessing from personal devices

Safe remediation steps

  1. Create or update a Conditional Access policy with a Session control set to "Persistent browser session: Never persistent"
  2. Scope the policy to All users; optionally add a device filter to exclude managed, compliant devices if persistent sessions are acceptable there
  3. Deploy in Report-only mode to assess impact
  4. Communicate the change to users, particularly those who regularly use personal devices to access work resources
  5. Enforce the policy
  6. Monitor for user experience complaints and adjust device exclusions as appropriate

Supporting documentation

Microsoft: Configure authentication session management with Conditional Access

Microsoft: Conditional Access session controls

Microsoft: What is a managed device in Entra ID?

Related risks and follow-on checks

After enforcing this control, review these related areas:

  • Session Hijack via Unusual IP Change — persistent sessions are more valuable to attackers because they provide longer-lasting access; reducing session lifetime limits the attack window
  • CA MFA Bypass Paths — ensure session lifetime controls are consistent with your MFA enforcement policies
  • Devices Overview — review whether unmanaged devices accessing your tenant should have stronger access controls applied more broadly
  • Require Token Binding Protection — a complementary control that makes stolen session tokens harder to reuse from different devices
TBD CTA