Skip to Content

EID-EXP-015: MFA Is Not Enough: A Technical Deep Dive into Session Persistence in Microsoft Entra ID

8 April 2026 by
Jaspreet Singh

MFA Is Not Enough: A Technical Deep Dive into Session Persistence in Microsoft Entra ID


Based on Lab: EID-EXP-015 (f11.ca)


Multi-Factor Authentication (MFA) is widely adopted as a core identity security control in Microsoft Entra ID.

MFA checks identity at login but does not guarantee ongoing access control.

To understand the broader implications, this analysis examines session persistence in Entra ID, outlines what occurs after MFA is completed, and explains the resulting security exposure.

Authentication vs Session: The Critical Distinction

When a user signs in:

  1. Credentials are validated
  2. MFA challenge is satisfied
  3. A Primary Refresh Token (PRT) or session token is issued. (Understanding Primary Refresh Token (PRT) in Microsoft Entra ID, 2025)
  4. Access is granted to cloud resources.

At this point, authentication is complete.

After authentication, access switches to a session state.

Authentication validates at login. Session enables ongoing trusted access.

When a user signs in:

  1. Credentials are validated
  2. MFA challenge is satisfied
  3. A Primary Refresh Token (PRT) or session token is issued. (Understanding Primary Refresh Token (PRT) in Microsoft Entra ID, 2025)
  4. Access is granted to cloud resources.

At this point, authentication is complete.

After authentication, access switches to a session state.

Having established the distinction between authentication and session, let’s explore what happens after MFA.

Once MFA is approved:

  • A session token is stored in the browser/device.

  • Token lifetime is governed by:

    • Conditional Access policies
    • Default session controls (Conditional Access adaptive session lifetime policies - Microsoft Entra ID, 2025)
  • Applications (Outlook, OneDrive, Teams) rely on this session. (Analyser, 2025)

Important Behavior:

  • No MFA re-prompt
  • No password required
  • Access continues silently

This is by design, not due to configuration errors.

Lab Observation (EID-EXP-015)

In a controlled Entra ID lab:

  • User logs in with MFA
  • Accesses Outlook and OneDrive
  • Leaves the session idle
  • Returns after several minutes

Result:

  • Session remains active
  • No re-authentication triggered
  • Full access persists

Technical Interpretation

This behavior is driven by:

  • Token-based authentication
  • Session persistence policies
  • Lack of enforced re-authentication interval

Session Tokens and Trust Model

Microsoft Entra ID uses:

  • Primary Refresh Tokens (PRT) (device-bound)
  • Access tokens (short-lived, app-specific)
  • Refresh tokens (to renew access) (Understanding Primary Refresh Token (PRT) in Microsoft Entra ID, 2024)

Trust Assumption:

Once issued, tokens are trusted until:

  • Expiration
  • Revocation
  • Policy re-evaluation (Continuous Access Evaluation (CAE), 2023)

Security Implication:

If a session token is exposed, it grants access until it is revoked or expires. (Understanding Tokens in Microsoft Entra ID, 2025)

Why This Matters for Security Engineers

This introduces several real-world risks:

1.  Unattended Device Risk

  • User leaves the device unlocked.
  • Session remains active
  • No MFA barrier

2.  Session Token Theft

  • Browser compromise
  • Malware or info-stealers
  • Token extraction

Result:

  • Session replay
  • No password/MFA required

3.  Lack of Continuous Validation

  • MFA is not re-evaluated
  • Session trust persists
  • No adaptive re-check

Why Logs Don’t Help Much

Even in Entra ID Sign-In Logs:

  • MFA = “Satisfied”
  • No visibility into session lifetime

  • No clear distinction between:

    • New login
    • Ongoing session usage (Sign-in event details for Microsoft Entra multifactor authentication, 2025)

Result:

Engineers can be dangerously misled—believing protection is active when it is not, leaving systems exposed.

Mitigation Strategies (Technical Controls)

1. Sign-In Frequency (Critical)

Force re-authentication at defined intervals:

  • Example: Every 1–4 hours

This:

  • Breaks long-lived sessions
  • Forces MFA re-validation

2. Continuous Access Evaluation (CAE)

  • Enforces near real-time policy checks

  • Reacts to:

    • Password changes
    • Account disablement
    • Risk signals

3. Conditional Access Hardening

Apply:

  • Device compliance requirements
  • Location-based restrictions
  • Risk-based policies

4. Session Revocation

Manually or automatically:

  • Revoke active sessions
  • Invalidate tokens

Engineering Insight:

Session control is equally important as authentication control.

Key Takeaways from EID-EXP-015

  • MFA is enforced at login—not continuously
  • Session tokens enable persistent access.
  • Default configurations intentionally favor usability over strict security, heightening risk if left unmodified. (Protecting authentication methods in Microsoft Entra ID, 2024)
  • Session visibility is limited in logs.

Final Thought

Most environments focus heavily on:

  • Password security
  • MFA enforcement

But overlook: 

What happens after authentication succeeds

Critical Insight:

MFA does not provide continuous protection—robust session management is now your most urgent control plane.

Next Steps

  • Review Conditional Access session settings
  • Evaluate sign-in frequency policies.
  • Test session persistence in your own environment

Related Lab

EID-EXP-015 (f11.ca)  – Session Persistence & MFA Bypass Risk

Author

Written by Jaspreet Singh — follow my work on LinkedIn 


References

(2025). Understanding Primary Refresh Token (PRT) in Microsoft Entra ID. Microsoft Entra ID | Microsoft Learn. https://learn.microsoft.com/en-us/entra/identity/devices/concept-primary-refresh-token

(2025). Conditional Access adaptive session lifetime policies - Microsoft Entra ID. Microsoft Learn. https://video2.skills-academy.com/en-us/entra/identity/conditional-access/concept-session-lifetime

Analyser, H. D. (October 14, 2025). Cookie Bite Entra ID Attack: A Serious Threat to Microsoft Cloud Services. UNDERCODE NEWS. https://undercodenews.com/cookie-bite-entra-id-attack-a-serious-threat-to-microsoft-cloud-services/

(2024). Understanding Primary Refresh Token (PRT) in Microsoft Entra ID. Microsoft Entra ID | Microsoft Learn. https://learn.microsoft.com/en-us/entra/identity/devices/concept-primary-refresh-token

(2023). Continuous Access Evaluation (CAE). CTHFM: Azure. https://cthfm-azure.gitbook.io/azure/azure-fundamentals/azure-fundamentals-overview/azure-tokens/continuous-access-evaluation-cae

(2025). Understanding Tokens in Microsoft Entra ID. Microsoft Entra ID | Microsoft Learn. https://learn.microsoft.com/en-us/Entra/identity/devices/concept-tokens-microsoft-Entra-id

(2025). Sign-in event details for Microsoft Entra multifactor authentication. Microsoft Entra ID | Microsoft Learn. https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-reporting

(2024). Protecting authentication methods in Microsoft Entra ID. Microsoft Entra ID. https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-default-enablement

Jaspreet Singh 8 April 2026
Share this post
Tags
Our blogs
EID-EXP-013: Impossible Travel Detection vs VPN Behavior — Deep Dive for Security Engineers