We recently made a policy change requiring M365 users to log into their accounts on a more regular basis. This change helps protect everyone by strengthening our defenses against evolving phishing and business email compromise threats.
Why are we asking users to re-authenticate via MFA every 12 hours?
The risk: token theft
When you log in to M365 (or many other cloud services) and complete all your steps (password + MFA), the system issues you an authentication token (think of it as a “key” that says you’re already good-to-go).
If an attacker manages to steal that token (via phishing, malware, “man-in-the-middle” web proxies, etc.), they can use it to log in as you — often without needing to redo the MFA step, because the token already says, “MFA done”.
Once that token is in attacker hands, the attacker can roam around your account for as long as that token is valid, access resources, exfiltrate data, or set up persistence — all whilst “looking like you”.
This is especially relevant in cloud-first environments like yours (and ours) because of how often people stay logged in, use multiple devices, remote access, etc.
Even though MFA dramatically improves security (it’s still extremely important) the fact that token theft bypasses the “did you do the MFA step just now?” check means we still need additional layers of protection.
Why a 12-hour MFA prompt helps
By forcing a re-authentication every 12 hours, you shorten the “window of opportunity” an attacker has if they steal (or replay) your token. meaning: if someone steals your “key”, they’ll lose access once the token expires or you’re forced to ask for a fresh check.
It essentially adds a time-bound checkpoint: you’re re-asserting the identity, doing MFA, renewing the session. this reduces session-lifetime risk.
It also reinforces best-practice behavior for users: you’ll see the prompt, you re-authenticate, which helps you remain engaged and aware of your access sessions.
In alignment with “zero-trust” mindset: don’t assume “once logged in, you’re forever trusted” — instead assume “we’ll periodically re-check you”.
Combined with other controls (device compliance, location restrictions, conditional access, session monitoring) your overall risk decreases significantly.
What you as a user should know & do
Keep your MFA device (phone/app) secure: don’t hand it over, don’t approve push notifications you didn’t expect.
Be extra cautious with links/emails asking you to “login” or “re-enter your credentials”. token-theft phishing works by proxying your login and capturing the token behind the scenes.
If you see a login prompt (or MFA approval) when you didn’t initiate one, treat that as potentially malicious.
Log out when you’re done, especially on shared/public devices; avoid leaving “always logged in” enabled.
Use managed/compliant devices for work access whenever possible, avoid unmanaged personal devices if policy allows.
If you suspect unauthorized access, report it immediately so the token/session can be revoked.
What this policy is not
It’s not a sign of mistrust in you, it’s a security precaution applied universally to help protect your account, your data, and our collective systems.
It’s not the only control we’re using, but it’s a meaningful one. We also use other controls: conditional access, device compliance, monitoring, etc.
It doesn’t mean you’ll be constantly bothered, 12 hours is a balance between usability and risk mitigation.
Links for additional reading
https://learn.microsoft.com/en-us/security/operations/token-theft-playbook