-->Oct 23, 2020 Microsoft retired the configurable token lifetime feature for refresh and session token lifetimes on January 30, 2021 and replaced it with the Conditional Access authentication session management feature. Before enabling Sign-in Frequency, make sure other reauthentication settings are disabled in your tenant. It was advised to raise to Microsoft Support as the Office 365 Admin as Support will pull the session ID's and logs to see what is going on with your tenant. If it is the same as the case above then this is likely to be happening across browsers.
Session lifetimes are an important part of authentication for Microsoft 365 and are an important component in balancing security and the number of times users are prompted for their credentials.
Session times for Microsoft 365 services
When users authenticate in any of the Microsoft 365 web apps or mobile apps, a session is established. For the duration of the session, users won't need to re-authenticate. Sessions can expire when users are inactive, when they close the browser or tab, or when their authentication token expires for other reasons such as when their password has been reset. The Microsoft 365 services have different session timeouts to correspond with the typical use of each service.
The following table lists the session lifetimes for Microsoft 365 services:
Session Has Expired Error
Authentication Session Has Expired Microsoft Office Mac
| Microsoft 365 service | Session timeout |
|---|---|
| Microsoft 365 admin center | You are asked to provide credentials for the admin center every 8 hours. |
| SharePoint Online | 5 days of inactivity as long as the users chooses Keep me signed in. If the user accesses SharePoint Online again after 24 or more hours have passed from the previous sign-in, the timeout value is reset to 5 days. |
| Outlook Web App | 6 hours. You can change this value by using the ActivityBasedAuthenticationTimeoutInterval parameter in the Set-OrganizationConfig cmdlet. |
| Azure Active Directory (Used by Office and Microsoft 365 applications in Windows clients with modern authentication enabled) | Modern authentication uses access tokens and refresh tokens to grant user access to Microsoft 365 resources using Azure Active Directory. An access token is a JSON Web Token provided after a successful authentication and is valid for 1 hour. A refresh token with a longer lifetime is also provided. When access tokens expire, Office clients use a valid refresh token to obtain a new access token. This exchange succeeds if the user's initial authentication is still valid. Refresh tokens are valid for 90 days, and with continuous use, they can be valid until revoked. Refresh tokens can be invalidated by several events such as: User's password has changed since the refresh token was issued. An administrator can apply conditional access policies that restrict access to the resource the user is trying to access. |
| SharePoint and OneDrive mobile apps for Android, iOS, and Windows 10 | The default lifetime for the access token is 1 hour. The default max inactive time of the refresh token is 90 days. Learn more about tokens and how to configure token lifetimes To revoke the refresh token, you can reset the user's Microsoft 365 password |
| Yammer with Microsoft 365 Sign-In | Lifetime of the browser. If users close the browser and access Yammer in a new browser, Yammer will re-authenticate them with Microsoft 365. If users use third-party browsers that cache cookies, they may not need to re-authenticate when they reopen the browser. > [!NOTE]> This is valid only for networks using Microsoft 365 Sign-In for Yammer. |