Microsoft introduces new Entra ID feature requiring reauthentication every time

Apr 23, 2025, 8:55 am EDT | Masha Borak

Microsoft introduces new Entra ID feature requiring reauthentication every time

Microsoft has introduced a new feature for Entra ID that allows administrators to require a fresh user authentication to complete specific actions that may be sensitive or risky.

The Reauthentication Every Time Policy can be used while accessing sensitive applications, protecting user sign-ins to Azure Virtual Desktop machines or risky sign-ins identified by Microsoft Entra ID Protection. The feature is also used for securing resources behind VPN or Network as a Service (NaaS) providers, privileged role elevation in PIM and sensitive user actions like Microsoft Intune enrollment.

When the setting is enabled, users must fully reauthenticate each time their session is evaluated.

“Sign-in frequency set to every time works best when the resource has the logic to identify when a client should get a new token,” the company says. “These resources redirect the user back to Microsoft Entra only once the session expires.”

Microsoft warns that administrators should limit the number of applications using the Reauthentication Every Time Policy to avoid introducing high friction and causing “MFA fatigue” among users. The company also lists other recommendations on its website.

The introduction of the feature comes after Windows administrators from several organizations received alerts last weekend that their Entra accounts had leaked credentials, leading them to be automatically locked. The account lockouts were triggered by false positives during the rollout of a new Microsoft Entra ID’s “leaked credentials” detection app called MACE Credential Revocation.

Microsoft has confirmed that the security alerts were generated inadvertently and that the issue has been mitigated, Bleeping Computer reports.

“Microsoft identified that it was internally logging a subset of short-lived user refresh tokens for a small percentage of users, whereas our standard logging process is to only log metadata about such tokens,” the company’s message posted by a user on Reddit reads. “The internal logging issue was immediately corrected, and the team performed a procedure to invalidate these tokens to protect customers. As part of the invalidation process, we inadvertently generated alerts in Entra ID Protection indicating the user’s credentials may have been compromised.”

Since last year, Microsoft has been allowing customers to integrate external authentication methods directly into Entra ID, allowing administrators to use different MFA providers. Among the latest additions to the IAM tool is the 1Kosmos platform.