| title | Require reauthentication with Conditional Access |
|---|---|
| description | Create a custom Conditional Access policy requiring reauthentication. |
| ms.topic | how-to |
| ms.date | 03/24/2026 |
| ms.reviewer | lhuangnorth |
Protect user access on unmanaged devices by preventing browser sessions from remaining signed in after the browser is closed and setting a sign-in frequency to 1 hour.
[!INCLUDE active-directory-policy-exclusions]
[!INCLUDE active-directory-policy-deploy-template]
- Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
- Browse to Entra ID > Conditional Access > Policies.
- Select New policy.
- Give your policy a name. Create a meaningful standard for the names of your policies.
- Under Assignments, select Users or workload identities.
- Under Include, select All users
- Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
- Under Target resources > Resources (formerly cloud apps) > Include, select All resources (formerly 'All cloud apps').
- Under Conditions > Filter for devices, set Configure to Yes.
- Under Devices matching the rule:, set to Include filtered devices in policy.
- Under Rule syntax select the Edit pencil and paste the following expressing in the box, then select Apply.
- device.trustType -ne "ServerAD" -or device.isCompliant -ne True
- Select Done.
- Under Access controls > Session
- Select Sign-in frequency, specify Periodic reauthentication, and set the duration to 1 and the period to Hours.
- Select Persistent browser session, and set Persistent browser session to Never persistent.
- Select, Select
- Confirm your settings and set Enable policy to Report-only.
- Select Create to enable your policy.
[!INCLUDE conditional-access-report-only-mode]
Use report-only mode for Conditional Access to determine the results of new policy decisions.