New in CIS Microsoft 365 Benchmark v7: Periodic Reauthentication for All Users

For years, Microsoft 365 security guidance has focused heavily on protecting administrative accounts. That makes sense—administrators have elevated privileges and represent some of the highest-value targets in an organization.

One long-standing CIS Microsoft 365 control reflects that reality:

5.2.2.4 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users

This control requires administrators to:

• Reauthenticate at least every four hours

• Use non-persistent browser sessions

  
  

But with the release of CIS Microsoft 365 Benchmark v7, the guidance has expanded.

CIS now recommends that all users—not just administrators—periodically reauthenticate.

Why Reauthentication Matters

Modern attackers don't always need your password.

Increasingly, threat actors are targeting session tokens instead.

A session token is created after a successful sign-in and allows users to continue working without repeatedly entering their credentials. While this improves usability, it also creates an opportunity for attackers.

Session tokens can be stolen through:

• Phishing attacks

• Malware infections

• Browser compromise

• Remote access to a compromised device

Once a token is stolen, an attacker can often import it into their own browser and resume the victim's authenticated session.

In many cases, this allows the attacker to bypass the need to know the user's password entirely.

Reducing the Lifespan of Compromise

The purpose of periodic reauthentication is simple:

Reduce the amount of time a stolen credential or session token remains useful.

The longer a session remains active, the more time an attacker has to:

• Access sensitive information

• Move laterally through the environment

• Establish persistence

• Exfiltrate data

By requiring users to periodically reauthenticate, organizations limit the maximum lifetime of compromised credentials and sessions.

What's New in Version 7?

CIS v7 introduces:

5.2.2.13 Ensure that periodic reauthentication is required for all users

The recommendation is that standard users reauthenticate at least once every seven days.

This is a significant shift in CIS's security guidance and reflects the growing threat posed by session hijacking attacks.

Why Admins Still Have Stricter Requirements

Not all accounts carry the same level of risk.

Administrative accounts can:

• Modify security settings

• Create new users

• Grant permissions

• Access highly sensitive organizational data

Because of this elevated risk, CIS continues to require administrators to reauthenticate much more frequently than standard users.

The benchmark currently recommends:

• Administrators: Every 4 hours

• Standard users: Every 7 days

This approach balances security and usability while recognizing that privileged accounts require additional protection.

MFA is no longer a silver bullet for security

For years, security conversations focused on a simple message: Enable MFA.

That guidance remains critically important.

However, CIS v7 makes it clear that modern identity protection goes beyond MFA alone.

Organizations should now think about identity security controls such as:

1. Phishing-resistant MFA

2. Conditional Access

3. Token Protection

4. Periodic Reauthentication

Together, these controls help protect against both credential theft and session hijacking attacks.

Final Thoughts

The addition of periodic reauthentication for all users highlights an important reality:

Attackers are evolving, and security standards must evolve with them.

MFA remains one of the most effective security controls available, but it is no longer sufficient by itself. Organizations must also consider how long authenticated sessions remain active and what happens if those sessions are compromised.

CIS Microsoft 365 Benchmark v7 recognizes this shift and now recommends that all users periodically prove they are still who they claim to be.

At Redeemer Cyber, we help organizations implement the latest CIS Microsoft 365 Benchmark recommendations and translate security guidance into practical, business-friendly solutions.

If you'd like to understand how your Microsoft 365 environment aligns with CIS v7, contact Redeemer Cyber today for a Microsoft 365 Security Assessment.