If I am reading the documentation correctly, trusted device expiration is statically set to 30 days, and users are allowed to turn this off in their advanced settings.

In our environment, we'd love to be able to prevent users from being able to disable the trusted device expiration, as well as change the 30 day period to a shorter time frame.

We are already forcing MFA except for at trusted locations but would like to ratchet up the security, mostly in case a device is stolen or compromised.

Thanks for your consideration of our idea!