Enhancing Security: A Step-by-Step Guide to Disabling Persistent Browser Sessions in Microsoft 365

Jack Davies
Jun 29
4 min read

In today's working world, your team might be accessing company data from anywhere—a personal laptop, a shared family computer, or even a public terminal. While Microsoft 365 offers incredible convenience, features like the "Stay signed in?" prompt can pose a security risk in these scenarios. A user might close their browser tab, believing they've signed out, while their session remains active and accessible to the next person who uses the device.

Before You Begin: Prerequisites

To implement this policy, you will need:

A Microsoft Entra ID P1 or P2 license. Conditional Access is a premium feature. To check this go to Entra > Home > License
Administrator privileges. You'll need to be a Global Administrator or a Conditional Access Administrator to create and manage policies.

The Step-by-Step Guide:

Step 1: Sign in to the Microsoft Entra Admin Center

First things first. Head over to the central hub for your organisation's identity and access management.

Navigate to: https://entra.microsoft.com

Step 2: Locate the Conditional Access Policies

Once you're in the admin center, you need to find the Conditional Access section, which lives under the Protection menu.

In the left-hand menu, navigate to Protection > Conditional Access.

Of course. Here are the instructions rewritten as a comprehensive blog post and guide.

Enhancing Security: A Step-by-Step Guide to Disabling Persistent Browser Sessions in Microsoft 365

Posted: June 2025

In today's flexible working world, your team might be accessing company data from anywhere—a personal laptop, a shared family computer, or even a public terminal. While Microsoft 365 offers incredible convenience, features like the "Stay signed in?" prompt can pose a security risk in these scenarios. A user might close their browser tab, believing they've signed out, while their session remains active and accessible to the next person who uses the device.

Fortunately, there's a powerful tool within Microsoft Entra ID to mitigate this risk. By creating a Conditional Access policy, you can ensure that whenever a user closes their browser, their session is fully terminated.

This guide will walk you through, step-by-step, how to configure this essential security policy.

Before You Begin: Prerequisites

To implement this policy, you will need:

A Microsoft Entra ID P1 or P2 license. Conditional Access is a premium feature.
Administrator privileges. You'll need to be a Global Administrator or a Conditional Access Administrator to create and manage policies.

The Step-by-Step Guide

Step 1: Sign in to the Microsoft Entra Admin Center

First things first. Head over to the central hub for your organisation's identity and access management.

Navigate to: https://entra.microsoft.com

Step 2: Locate the Conditional Access Policies

Once you're in the admin center, you need to find the Conditional Access section, which lives under the Protection menu.

In the left-hand menu, navigate to Protection > Conditional Access.

Step 3: Create a New Policy

You'll now see a dashboard of your existing policies. We're going to create a new one from scratch.

Select Policies from the submenu, then click + New policy.

Step 4: Name Your Policy

A clear naming convention is key to managing your policies later. Give it a name that clearly states its purpose.

Name: Disable Persistent Browser Sessions

Step 5: Assign the Policy to Users

Here, we define who this policy applies to. The goal is to apply it to everyone except your admin accounts.

Under Assignments, select Users.
On the Include tab, select All users.
On the Exclude tab, select Users and groups and choose your administrator accounts or a dedicated security group that contains them.

Always exclude at least one "break-glass" global administrator account from this and any new policy. This ensures you never accidentally lock yourself out of your own tenant.

Step 6: Select the Target Cloud Apps

Next, we define what applications this policy will protect. For maximum security and consistency, we'll apply it to all cloud applications registered in Entra ID.

Under Target resources, select Cloud apps.
Ensure Select what this policy applies to is set to All cloud apps.

Step 7: Define the Conditions

This is a crucial step. We only want this policy to apply when users are accessing resources through a web browser, not through desktop or mobile clients like Outlook or Teams, which handle sessions differently.

Go to the Conditions section and click on Client apps.
Set the Configure toggle to Yes.
Under Select the client apps this policy will apply to, ensure that only the checkbox for Browser is selected.

Step 8: Configure the Session Control

This is where the magic happens. We will explicitly tell Microsoft Entra to never allow a persistent session.

Go to the Access controls section and click on Session.
Check the box for Persistent browser session.
From the dropdown menu that appears, choose the Never persistent option.

Step 9: Enable and Create the Policy

Finally, it's time to turn the policy on.

For a safe rollout, you can first set Enable policy to Report-only. This allows you to monitor the policy's potential impact in the sign-in logs for a few days without affecting users. Once you're confident it's configured correctly, you can switch it to On.

At the bottom of the page, set the Enable policy toggle to On.
Click the Create button to save and activate your new policy.

Verifying the Policy

After a few minutes, the policy will be active. To test it:

Use a non-administrator test account that is included in the policy's scope.
Open a new browser session (an Incognito or Private window works best for testing).
Sign in to a Microsoft 365 service like portal.office.com.
After successfully signing in, completely close the browser (all windows and tabs).
Re-open the browser and navigate back to portal.office.com.