Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Within a Conditional Access policy, an administrator can make use of session controls to enable limited experiences within specific cloud applications.
Application enforced restrictions
Organizations can use this control to require Microsoft Entra ID to pass device information to the selected cloud apps. The device information allows cloud apps to know if a connection is from a compliant or domain-joined device and update the session experience. When selected, the cloud app uses the device information to provide users with a limited or full experience. Limited when the device isn't managed or compliant and full when the device is managed and compliant.
For a list of supported applications and how to configure policies, see the following articles:
- Idle session timeout for Microsoft 365.
- Enabling limited access with SharePoint Online
- Enabling limited access with Exchange Online
Conditional Access application control
Conditional Access App Control uses a reverse proxy architecture and is uniquely integrated with Microsoft Entra Conditional Access. Microsoft Entra Conditional Access allows you to enforce access controls on your organization’s apps based on certain conditions. The conditions define what user or group of users, cloud apps, and locations and networks a Conditional Access policy applies to. After you determine the conditions, you can route users to Microsoft Defender for Cloud Apps where you can protect data with Conditional Access App Control by applying access and session controls.
Conditional Access App Control enables user app access and sessions to be monitored and controlled in real time based on access and session policies. Access and session policies are used within the Defender for Cloud Apps portal to refine filters and set actions to take.
This control can be enforced with Microsoft Defender for Cloud Apps, where Admins can Deploy Conditional Access App Control for featured apps and use Microsoft Defender for Cloud Apps session policies.
For Microsoft Edge for Business, this control can be enforced with Microsoft Purview Data Loss Prevention, where Admins can help prevent users from sharing sensitive info with Cloud Apps in Edge for Business. The Conditional Access App Control Custom setting is required for apps included in these policies.
Sign-in frequency
Sign-in frequency defines the time period before a user is asked to sign in again when attempting to access a resource. Administrators can select a period of time (hours or days) or choose to require reauthentication every time.
Sign-in frequency setting works with apps that implement OAUTH2 or OIDC protocols according to the standards. Most Microsoft native apps for Windows, Mac, and Mobile including the following web applications follow the setting.
- Word, Excel, PowerPoint Online
- OneNote Online
- Office.com
- Microsoft 365 Admin portal
- Exchange Online
- SharePoint and OneDrive
- Teams web client
- Dynamics CRM Online
- Azure portal
For more information, see the article Configure authentication session management with Conditional Access.
Persistent browser session
A persistent browser session allows users to remain signed in after closing and reopening their browser window.
For more information, see the article Configure authentication session management with Conditional Access.
Customize continuous access evaluation
Continuous access evaluation is auto enabled as part of an organization's Conditional Access policies. For organizations who wish to disable continuous access evaluation, this configuration is now an option within the session control within Conditional Access. Continuous access evaluation policies can be scoped to all users or specific users and groups. Admins can make the following selection while creating a new policy or while editing an existing Conditional Access policy.
- Disable only work when All resources (formerly 'All cloud apps') are selected, no conditions are selected, and Disable is selected under Session > Customize continuous access evaluation in a Conditional Access policy. You can choose to disable all users or specific users and groups.
Disable resilience defaults
During an outage, Microsoft Entra ID extends access to existing sessions while enforcing Conditional Access policies.
If resilience defaults are disabled, access is denied once existing sessions expire. For more information, see the article Conditional Access: Resilience defaults.
Require token protection for sign-in sessions
Token protection (sometimes referred to as token binding in the industry) attempts to reduce attacks using token theft by ensuring a token is usable only from the intended device. When an attacker is able to steal a token, by hijacking or replay, they can impersonate their victim until the token expires or is revoked. Token theft is thought to be a relatively rare event, but the damage from it can be significant. For more information, see the article Conditional Access: Token protection.