CA-07: Configuring Session Controls in Conditional Access

Overview

This guide walks you through configuring session controls in Conditional Access policies. Session controls provide granular control over what users can do after authentication, enabling scenarios like read-only access, download restrictions, and integration with Microsoft Defender for Cloud Apps.

Control ID: CA-07 Category: Conditional Access Severity: Medium License Required: Microsoft Entra ID P1 (basic) or Microsoft Defender for Cloud Apps (advanced)

Why This Matters

Grant controls determine whether a user can access resources. Session controls determine what they can do once access is granted:

  • Limit download/upload - Prevent data exfiltration from unmanaged devices
  • Block copy/paste - Restrict clipboard access to sensitive applications
  • Monitor sessions - Gain visibility into user activities within apps
  • Customize access - Provide partial access instead of full block or full allow
  • Sign-in frequency - Force re-authentication at defined intervals

Session controls enable nuanced access policies that balance security with productivity.


Prerequisites

Required Roles

You need one of the following Entra ID roles:

  • Conditional Access Administrator (recommended)
  • Security Administrator
  • Global Administrator

Required Licenses

Basic Session Controls (Sign-in frequency, Persistent browser):

  • Microsoft Entra ID P1

Advanced Session Controls (Defender for Cloud Apps):

  • Microsoft Defender for Cloud Apps (standalone or E5)
  • Microsoft Entra ID P1 or P2

Pre-Configuration Requirements

For advanced session controls:

  1. Microsoft Defender for Cloud Apps configured - Portal must be accessible
  2. App connectors deployed - For apps requiring session monitoring
  3. Session policies created in Defender for Cloud Apps

Time Estimate

TaskDuration
Basic session controls setup15-20 minutes
Defender for Cloud Apps integration1-2 hours
Testing and validation30-60 minutes
Total1-3 hours depending on scope

Available Session Controls

Sign-In Frequency

Forces users to re-authenticate after a specified time period. The session becomes invalid after the interval expires.

Use Cases:

  • Require re-authentication every 8 hours for sensitive apps
  • Force daily re-authentication for admin access
  • Limit session duration on untrusted devices

Persistent Browser Session

Controls whether users stay signed in after closing and reopening the browser.

Options:

  • Always persistent - Users remain signed in
  • Never persistent - Users must re-authenticate after browser close

Application Enforced Restrictions

Passes device information to the connected app (SharePoint/Exchange) to enable conditional experiences.

Use Cases:

  • Limited web-only access from unmanaged devices
  • Block downloads in SharePoint from personal devices
  • Read-only access to Exchange from untrusted networks

Use Conditional Access App Control (Defender for Cloud Apps)

Routes sessions through Defender for Cloud Apps for real-time monitoring and control.

Use Cases:

  • Block downloads of sensitive files
  • Prevent copy/paste of sensitive content
  • Monitor user activities in third-party SaaS apps
  • Apply real-time DLP policies

Disable Resilience Defaults (Preview)

Controls backup authentication behavior during outages.

Customize Continuous Access Evaluation (Preview)

Configures CAE behavior including strict location enforcement.


Step-by-Step Instructions

Part 1: Configure Sign-In Frequency

Step 1: Navigate to Conditional Access

  1. Sign in to the Microsoft Entra admin center
  2. Navigate to Protection > Conditional Access > Policies
  3. Either create a new policy or edit an existing one

Step 2: Configure Session Controls

  1. In the policy, under Session, click to expand
  2. Check Sign-in frequency
  3. Select frequency type:
    • Periodic reauthentication - Set specific interval (hours or days)
    • Every time - Require authentication on every access

Step 3: Set the Interval

For periodic reauthentication:

ScenarioRecommended Setting
General users7-14 days
Sensitive applications8-24 hours
Admin access4-8 hours
Untrusted devices1-4 hours

Example configuration:

  • Value: 8
  • Unit: Hours

Step 4: Enable and Test

  1. Set policy to Report-only first
  2. Monitor sign-in logs for reauthentication events
  3. Adjust frequency if user friction is too high
  4. Change to On when validated

Part 2: Configure Persistent Browser Session

Step 1: Navigate to Session Controls

  1. Open your Conditional Access policy
  2. Under Session, click to expand

Step 2: Configure Browser Persistence

  1. Check Persistent browser session
  2. Select one option:
    • Always persistent - Browser stays signed in
    • Never persistent - Session ends when browser closes

Step 3: Use Case Examples

Deny persistence for untrusted devices:

  1. Create policy targeting unmanaged devices
  2. Conditions > Filter for devices: Not registered or not compliant
  3. Session: Persistent browser session = Never persistent

Allow persistence for corporate devices:

  1. Create policy for managed devices
  2. Conditions > Filter for devices: Compliant or Entra joined
  3. Session: Persistent browser session = Always persistent

Part 3: Configure Application Enforced Restrictions

This setting works with SharePoint and Exchange Online to provide limited access experiences.

Step 1: Enable in SharePoint

Before using this control, configure SharePoint:

  1. Navigate to SharePoint admin center
  2. Go to Policies > Access control
  3. Under Unmanaged devices, select:
    • Allow limited, web-only access
    • Or Block access

Step 2: Configure Conditional Access Policy

  1. Open or create a Conditional Access policy

  2. Configure Users: Target relevant users

  3. Configure Cloud apps: Select Office 365 or specific apps

  4. Configure Conditions:

    • Filter for devices: Unmanaged devices
    • Or Device state: Device not compliant, not Entra joined
  5. Under Session, check Use app enforced restrictions

Step 3: Result

Users on unmanaged devices will experience:

  • Web-only access (no sync clients)
  • Downloads blocked
  • Print restrictions
  • No offline access

Part 4: Configure Conditional Access App Control (Advanced)

This requires Microsoft Defender for Cloud Apps.

Step 1: Access Defender for Cloud Apps

  1. Navigate to Microsoft Defender portal
  2. Select Cloud Apps in the navigation

Step 2: Configure App Onboarding

  1. Go to Settings > Cloud Apps > Conditional Access App Control
  2. Add the apps you want to protect
  3. For each app, configure session routing

Step 3: Create Session Policy

  1. In Defender for Cloud Apps, go to Control > Policies
  2. Click Create policy > Session policy
  3. Configure:
    • Activity source: Assign filters for apps
    • Actions: Block download, monitor, apply DLP
    • Policy type: Download control, Upload control, or Custom

Step 4: Configure Conditional Access

  1. Open your Conditional Access policy
  2. Under Session, check Use Conditional Access App Control
  3. Select:
    • Monitor only - Log activities without blocking
    • Block downloads - Prevent file downloads
    • Use custom policy - Use Defender for Cloud Apps session policies

Step 5: Test the Integration

  1. Sign in to a protected app through the session proxy
  2. Verify the Defender for Cloud Apps URL is in the address bar (e.g., .mcas.ms)
  3. Attempt blocked actions to verify policies work

Session Control Scenarios

Scenario 1: Limited Access for BYOD

Goal: Allow users on personal devices to access email and files but prevent downloads.

Configuration:

Policy: BYOD Limited Access
Users: All users
Cloud apps: Office 365
Conditions:
  - Filter for devices: device.isCompliant -ne True
Session:
  - Use app enforced restrictions: Enabled

Result: Users see web-only interface with download restrictions.

Scenario 2: Strict Admin Session Limits

Goal: Force admins to re-authenticate every 4 hours.

Configuration:

Policy: Admin Session Limits
Users: Directory roles (all admin roles)
Cloud apps: All cloud apps
Session:
  - Sign-in frequency: 4 hours
  - Persistent browser session: Never persistent

Result: Admins are prompted to re-authenticate every 4 hours and after browser close.

Scenario 3: Sensitive App Monitoring

Goal: Monitor and log all activities in a sensitive financial application.

Configuration:

Policy: Sensitive App Monitoring
Users: Finance department group
Cloud apps: Specific finance SaaS app
Session:
  - Use Conditional Access App Control: Monitor only

Result: All user activities are logged in Defender for Cloud Apps.

Scenario 4: Block Downloads for External Users

Goal: Allow guests to view documents but not download them.

Configuration:

Policy: Guest Download Block
Users: Guest users
Cloud apps: SharePoint, OneDrive
Session:
  - Use Conditional Access App Control: Block downloads

Result: Guests can view but cannot download files.


Verification Checklist

After enabling session controls, verify successful implementation:

Sign-In Frequency Verification

  • Policy shows sign-in frequency configured
  • Test user is prompted to re-authenticate after configured interval
  • Sign-in logs show reauthentication events

Persistent Browser Session Verification

  • Policy shows browser persistence configured
  • Close and reopen browser to test persistence behavior
  • Verify expected outcome (prompted or not prompted)

Application Enforced Restrictions Verification

  • SharePoint admin center shows unmanaged device settings
  • Test from unmanaged device to verify limited access
  • Download buttons are hidden or disabled
  • Sync client access is blocked

Conditional Access App Control Verification

  • Defender for Cloud Apps shows app configured
  • Session policies are created and active
  • Test user sees .mcas.ms URL when accessing app
  • Blocked actions are correctly prevented
  • Activity logs appear in Defender for Cloud Apps

Troubleshooting

Sign-In Frequency Not Enforced

Symptom: Users are not prompted to re-authenticate at expected intervals.

Solutions:

  1. Verify the policy is enabled (not Report-only)
  2. Check if users are excluded from the policy
  3. Review token lifetime - CAE may extend effective session
  4. Check for conflicting policies with different frequency settings

Persistent Browser Session Not Working

Symptom: Browser persistence behaves opposite to configuration.

Solutions:

  1. Clear browser cookies and cache
  2. Verify no conflicting policies
  3. Check if the user is on a shared/public device
  4. Review sign-in logs for policy application

Application Enforced Restrictions Not Applied

Symptom: Users can still download files on unmanaged devices.

Solutions:

  1. Verify SharePoint admin center settings are configured
  2. Check that device filter correctly identifies unmanaged devices
  3. Clear browser cache and cookies
  4. Verify the app enforced restrictions setting is checked

Defender for Cloud Apps Session Issues

Symptom: Session proxy not routing traffic correctly.

Solutions:

  1. Verify app is onboarded in Defender for Cloud Apps
  2. Check SSL certificate is trusted
  3. Review session policy conditions
  4. Ensure users are not in excluded groups
  5. Check for proxy/firewall blocking the MCAS domain

Users Stuck in Reauthentication Loop

Symptom: Users are continuously prompted to sign in.

Solutions:

  1. Check for multiple conflicting policies
  2. Verify MFA is registered for the user
  3. Review Conditional Access evaluation in sign-in logs
  4. Temporarily exclude user to diagnose

Policy Configuration Summary

Basic Session Control Policy

SettingValue
Policy NameSession Controls - Sensitive Apps
Users - IncludeAll users
Users - ExcludeEmergency access accounts
Cloud AppsSensitive applications
ConditionsAs needed
GrantGrant access (with or without conditions)
Session - Sign-in frequency8 hours
Session - Persistent browserNever persistent
Enable PolicyOn

BYOD Restriction Policy

SettingValue
Policy NameBYOD Limited Access
Users - IncludeAll users
Cloud AppsOffice 365
Conditions - Filter for devicesUnmanaged/non-compliant
GrantGrant access
SessionUse app enforced restrictions
Enable PolicyOn

Combining Session Controls

You can combine multiple session controls in a single policy:

Example: High-Security Access

Session controls:
- Sign-in frequency: 4 hours
- Persistent browser session: Never persistent
- Use Conditional Access App Control: Block downloads

Considerations:

  • More controls = more user friction
  • Balance security with productivity
  • Use report-only mode to assess impact before enabling

Related Controls

  • CA-11: Enforce Session Lifetime Limits (focused on sign-in frequency)
  • CA-10: Enable Token Protection (token binding for sessions)
  • PA-07: Enable Continuous Access Evaluation (real-time session revocation)
  • DLP-02: Block Bulk Data Exfiltration (data protection)

Additional Resources