CA-07: Configuring Session Controls in Conditional Access
Overview
This guide walks you through configuring session controls in Conditional Access policies. Session controls provide granular control over what users can do after authentication, enabling scenarios like read-only access, download restrictions, and integration with Microsoft Defender for Cloud Apps.
Control ID: CA-07 Category: Conditional Access Severity: Medium License Required: Microsoft Entra ID P1 (basic) or Microsoft Defender for Cloud Apps (advanced)
Why This Matters
Grant controls determine whether a user can access resources. Session controls determine what they can do once access is granted:
- Limit download/upload - Prevent data exfiltration from unmanaged devices
- Block copy/paste - Restrict clipboard access to sensitive applications
- Monitor sessions - Gain visibility into user activities within apps
- Customize access - Provide partial access instead of full block or full allow
- Sign-in frequency - Force re-authentication at defined intervals
Session controls enable nuanced access policies that balance security with productivity.
Prerequisites
Required Roles
You need one of the following Entra ID roles:
- Conditional Access Administrator (recommended)
- Security Administrator
- Global Administrator
Required Licenses
Basic Session Controls (Sign-in frequency, Persistent browser):
- Microsoft Entra ID P1
Advanced Session Controls (Defender for Cloud Apps):
- Microsoft Defender for Cloud Apps (standalone or E5)
- Microsoft Entra ID P1 or P2
Pre-Configuration Requirements
For advanced session controls:
- Microsoft Defender for Cloud Apps configured - Portal must be accessible
- App connectors deployed - For apps requiring session monitoring
- Session policies created in Defender for Cloud Apps
Time Estimate
| Task | Duration |
|---|---|
| Basic session controls setup | 15-20 minutes |
| Defender for Cloud Apps integration | 1-2 hours |
| Testing and validation | 30-60 minutes |
| Total | 1-3 hours depending on scope |
Available Session Controls
Sign-In Frequency
Forces users to re-authenticate after a specified time period. The session becomes invalid after the interval expires.
Use Cases:
- Require re-authentication every 8 hours for sensitive apps
- Force daily re-authentication for admin access
- Limit session duration on untrusted devices
Persistent Browser Session
Controls whether users stay signed in after closing and reopening the browser.
Options:
- Always persistent - Users remain signed in
- Never persistent - Users must re-authenticate after browser close
Application Enforced Restrictions
Passes device information to the connected app (SharePoint/Exchange) to enable conditional experiences.
Use Cases:
- Limited web-only access from unmanaged devices
- Block downloads in SharePoint from personal devices
- Read-only access to Exchange from untrusted networks
Use Conditional Access App Control (Defender for Cloud Apps)
Routes sessions through Defender for Cloud Apps for real-time monitoring and control.
Use Cases:
- Block downloads of sensitive files
- Prevent copy/paste of sensitive content
- Monitor user activities in third-party SaaS apps
- Apply real-time DLP policies
Disable Resilience Defaults (Preview)
Controls backup authentication behavior during outages.
Customize Continuous Access Evaluation (Preview)
Configures CAE behavior including strict location enforcement.
Step-by-Step Instructions
Part 1: Configure Sign-In Frequency
Step 1: Navigate to Conditional Access
- Sign in to the Microsoft Entra admin center
- Navigate to Protection > Conditional Access > Policies
- Either create a new policy or edit an existing one
Step 2: Configure Session Controls
- In the policy, under Session, click to expand
- Check Sign-in frequency
- Select frequency type:
- Periodic reauthentication - Set specific interval (hours or days)
- Every time - Require authentication on every access
Step 3: Set the Interval
For periodic reauthentication:
| Scenario | Recommended Setting |
|---|---|
| General users | 7-14 days |
| Sensitive applications | 8-24 hours |
| Admin access | 4-8 hours |
| Untrusted devices | 1-4 hours |
Example configuration:
- Value: 8
- Unit: Hours
Step 4: Enable and Test
- Set policy to Report-only first
- Monitor sign-in logs for reauthentication events
- Adjust frequency if user friction is too high
- Change to On when validated
Part 2: Configure Persistent Browser Session
Step 1: Navigate to Session Controls
- Open your Conditional Access policy
- Under Session, click to expand
Step 2: Configure Browser Persistence
- Check Persistent browser session
- Select one option:
- Always persistent - Browser stays signed in
- Never persistent - Session ends when browser closes
Step 3: Use Case Examples
Deny persistence for untrusted devices:
- Create policy targeting unmanaged devices
- Conditions > Filter for devices: Not registered or not compliant
- Session: Persistent browser session = Never persistent
Allow persistence for corporate devices:
- Create policy for managed devices
- Conditions > Filter for devices: Compliant or Entra joined
- Session: Persistent browser session = Always persistent
Part 3: Configure Application Enforced Restrictions
This setting works with SharePoint and Exchange Online to provide limited access experiences.
Step 1: Enable in SharePoint
Before using this control, configure SharePoint:
- Navigate to SharePoint admin center
- Go to Policies > Access control
- Under Unmanaged devices, select:
- Allow limited, web-only access
- Or Block access
Step 2: Configure Conditional Access Policy
-
Open or create a Conditional Access policy
-
Configure Users: Target relevant users
-
Configure Cloud apps: Select Office 365 or specific apps
-
Configure Conditions:
- Filter for devices: Unmanaged devices
- Or Device state: Device not compliant, not Entra joined
-
Under Session, check Use app enforced restrictions
Step 3: Result
Users on unmanaged devices will experience:
- Web-only access (no sync clients)
- Downloads blocked
- Print restrictions
- No offline access
Part 4: Configure Conditional Access App Control (Advanced)
This requires Microsoft Defender for Cloud Apps.
Step 1: Access Defender for Cloud Apps
- Navigate to Microsoft Defender portal
- Select Cloud Apps in the navigation
Step 2: Configure App Onboarding
- Go to Settings > Cloud Apps > Conditional Access App Control
- Add the apps you want to protect
- For each app, configure session routing
Step 3: Create Session Policy
- In Defender for Cloud Apps, go to Control > Policies
- Click Create policy > Session policy
- Configure:
- Activity source: Assign filters for apps
- Actions: Block download, monitor, apply DLP
- Policy type: Download control, Upload control, or Custom
Step 4: Configure Conditional Access
- Open your Conditional Access policy
- Under Session, check Use Conditional Access App Control
- Select:
- Monitor only - Log activities without blocking
- Block downloads - Prevent file downloads
- Use custom policy - Use Defender for Cloud Apps session policies
Step 5: Test the Integration
- Sign in to a protected app through the session proxy
- Verify the Defender for Cloud Apps URL is in the address bar (e.g.,
.mcas.ms) - Attempt blocked actions to verify policies work
Session Control Scenarios
Scenario 1: Limited Access for BYOD
Goal: Allow users on personal devices to access email and files but prevent downloads.
Configuration:
Policy: BYOD Limited Access
Users: All users
Cloud apps: Office 365
Conditions:
- Filter for devices: device.isCompliant -ne True
Session:
- Use app enforced restrictions: Enabled
Result: Users see web-only interface with download restrictions.
Scenario 2: Strict Admin Session Limits
Goal: Force admins to re-authenticate every 4 hours.
Configuration:
Policy: Admin Session Limits
Users: Directory roles (all admin roles)
Cloud apps: All cloud apps
Session:
- Sign-in frequency: 4 hours
- Persistent browser session: Never persistent
Result: Admins are prompted to re-authenticate every 4 hours and after browser close.
Scenario 3: Sensitive App Monitoring
Goal: Monitor and log all activities in a sensitive financial application.
Configuration:
Policy: Sensitive App Monitoring
Users: Finance department group
Cloud apps: Specific finance SaaS app
Session:
- Use Conditional Access App Control: Monitor only
Result: All user activities are logged in Defender for Cloud Apps.
Scenario 4: Block Downloads for External Users
Goal: Allow guests to view documents but not download them.
Configuration:
Policy: Guest Download Block
Users: Guest users
Cloud apps: SharePoint, OneDrive
Session:
- Use Conditional Access App Control: Block downloads
Result: Guests can view but cannot download files.
Verification Checklist
After enabling session controls, verify successful implementation:
Sign-In Frequency Verification
- Policy shows sign-in frequency configured
- Test user is prompted to re-authenticate after configured interval
- Sign-in logs show reauthentication events
Persistent Browser Session Verification
- Policy shows browser persistence configured
- Close and reopen browser to test persistence behavior
- Verify expected outcome (prompted or not prompted)
Application Enforced Restrictions Verification
- SharePoint admin center shows unmanaged device settings
- Test from unmanaged device to verify limited access
- Download buttons are hidden or disabled
- Sync client access is blocked
Conditional Access App Control Verification
- Defender for Cloud Apps shows app configured
- Session policies are created and active
- Test user sees
.mcas.msURL when accessing app - Blocked actions are correctly prevented
- Activity logs appear in Defender for Cloud Apps
Troubleshooting
Sign-In Frequency Not Enforced
Symptom: Users are not prompted to re-authenticate at expected intervals.
Solutions:
- Verify the policy is enabled (not Report-only)
- Check if users are excluded from the policy
- Review token lifetime - CAE may extend effective session
- Check for conflicting policies with different frequency settings
Persistent Browser Session Not Working
Symptom: Browser persistence behaves opposite to configuration.
Solutions:
- Clear browser cookies and cache
- Verify no conflicting policies
- Check if the user is on a shared/public device
- Review sign-in logs for policy application
Application Enforced Restrictions Not Applied
Symptom: Users can still download files on unmanaged devices.
Solutions:
- Verify SharePoint admin center settings are configured
- Check that device filter correctly identifies unmanaged devices
- Clear browser cache and cookies
- Verify the app enforced restrictions setting is checked
Defender for Cloud Apps Session Issues
Symptom: Session proxy not routing traffic correctly.
Solutions:
- Verify app is onboarded in Defender for Cloud Apps
- Check SSL certificate is trusted
- Review session policy conditions
- Ensure users are not in excluded groups
- Check for proxy/firewall blocking the MCAS domain
Users Stuck in Reauthentication Loop
Symptom: Users are continuously prompted to sign in.
Solutions:
- Check for multiple conflicting policies
- Verify MFA is registered for the user
- Review Conditional Access evaluation in sign-in logs
- Temporarily exclude user to diagnose
Policy Configuration Summary
Basic Session Control Policy
| Setting | Value |
|---|---|
| Policy Name | Session Controls - Sensitive Apps |
| Users - Include | All users |
| Users - Exclude | Emergency access accounts |
| Cloud Apps | Sensitive applications |
| Conditions | As needed |
| Grant | Grant access (with or without conditions) |
| Session - Sign-in frequency | 8 hours |
| Session - Persistent browser | Never persistent |
| Enable Policy | On |
BYOD Restriction Policy
| Setting | Value |
|---|---|
| Policy Name | BYOD Limited Access |
| Users - Include | All users |
| Cloud Apps | Office 365 |
| Conditions - Filter for devices | Unmanaged/non-compliant |
| Grant | Grant access |
| Session | Use app enforced restrictions |
| Enable Policy | On |
Combining Session Controls
You can combine multiple session controls in a single policy:
Example: High-Security Access
Session controls:
- Sign-in frequency: 4 hours
- Persistent browser session: Never persistent
- Use Conditional Access App Control: Block downloads
Considerations:
- More controls = more user friction
- Balance security with productivity
- Use report-only mode to assess impact before enabling
Related Controls
- CA-11: Enforce Session Lifetime Limits (focused on sign-in frequency)
- CA-10: Enable Token Protection (token binding for sessions)
- PA-07: Enable Continuous Access Evaluation (real-time session revocation)
- DLP-02: Block Bulk Data Exfiltration (data protection)