Conditional Access & Zero TrustSession Controls & App Protection

Session Controls & App Protection

25 mins

Understanding the Concept

Session controls in Conditional Access go beyond the initial access decision to control what users can do during their session. Sign-in frequency controls how often users must re-authenticate, while persistent browser sessions determine if users stay signed in across browser restarts.

Conditional Access App Control integrates with Microsoft Defender for Cloud Apps to provide real-time session monitoring and control. It can prevent downloads, block copy/paste, watermark documents, and monitor session activity for sensitive applications.

Application-enforced restrictions work with specific Microsoft apps (SharePoint, Exchange) to limit functionality based on device state. For example, restricting users on unmanaged devices to web-only access with no download capability.

Key Points

  • Sign-in frequency: Control re-authentication intervals (e.g., every 8 hours)
  • Persistent browser: Allow or require non-persistent sessions
  • App control: Real-time session monitoring via Defender for Cloud Apps
  • App-enforced restrictions: Limited access on unmanaged devices
  • Continuous Access Evaluation (CAE): Near real-time policy enforcement

Session Control Architecture

Step 1

Access Granted

User passes initial CA evaluation and gains access

Step 2

Session Policy

Session controls applied: frequency, persistence, app control

Step 3

Real-Time Monitor

Defender for Cloud Apps monitors actions in real-time

Step 4

Action Control

Block downloads, watermark, or restrict based on policy

Step 5

CAE Events

Critical events trigger immediate re-evaluation

Why This Matters in Real Organizations

Access decisions should not end at sign-in. Once a user has access, their actions within the session matter too. Session controls extend Zero Trust from the authentication moment throughout the entire user session, preventing data exfiltration and enabling safe access from any device.

Common Mistakes to Avoid

Setting sign-in frequency too aggressively, frustrating users with constant re-auth
Not understanding that app-enforced restrictions only work with specific Microsoft apps
Deploying Conditional Access App Control without Defender for Cloud Apps licensing
Ignoring Continuous Access Evaluation capabilities for near real-time enforcement

Interview Tips

  • Explain the difference between grant controls and session controls
  • Discuss Continuous Access Evaluation and its benefits
  • Give examples of session control scenarios for BYOD/unmanaged devices

Exam Tips (SC-300)

  • Know the session control options and their use cases
  • Understand Continuous Access Evaluation (CAE) and its triggers
  • Know which apps support app-enforced restrictions

Course Complete!

You've finished all lessons

Previous|Next|HHome