In the previous article, we discussed the various controls to decide on whether to allow access to the user and/or device to the apps and data with Azure AD Conditional Access Grant controls. However, after providing access with grant controls, administrators can provide additional controls to manage and monitor the overall user experience. Azure AD Conditional Access can use session controls to limit the experience for end users within specific cloud applications. Session controls can be use in conjunction with Grant controls or independent.
Currently, there are 4 access control session options. These include:
- Use app enforced restrictions
- Use Conditional Access App Control
- Sign in Frequency
- Off: No conditional access policy is applied. This is the default value
- ReadOnly: Users can view attachments but cannot download. Also cannot enable Offline Mode for non-compliant devices
- ReadOnlyPlusAttachmentsBlocked: Same as ReadOnly, but also cannot view attachmentsersistent Browser Session
Use app enforced restrictions
App enforced restrictions are currently only supported for Exchange Online and SharePoint Online. If you do not have these apps explicitly selection in the Cloud App assignments, this option will not be available. This policy provides administrators from still allowing access to Exchange and SharePoint data, but providing a limited experience view if the conditions are met for the conditional access policy by forcing Azure AD to send device state data to Exchange and/or SharePoint Online.
For Exchange Online Outlook on the Web, administrators will have to configure their OWA Mailbox policy to use Conditional Access for browser sessions, such as
Set-OwaMailboxPolicy -Identity Default -ConditionalAccessPolicy ReadOnly
This prevents the use of the light version of Outlook on the web. Valid values are
In ReadOnly mode, users will not see a download or offline option, but rather this message:
For SharePoint Online, you can control the experience for unmanaged devices using PowerShell
<Set-SPOTenant | Set-SPOSite> -ConditionalAccessPolicy < AllowFullAccess | AllowLimitedAccess | BlockAccess>
Additional AllowLimitedAccess are available using LimitedAccessFileType Options:
- OfficeOnlineFIlesOnly: Only allows for Preview of only Office files in browser
- WebPreviewableFiles: Default value. Allows preview of all file types
- OtherFIles: Allows download of files that cannot be previewed
These settings can be also managed on the Access control page of the SharePoint admin center
Use Conditional Access App Control
Conditional Access App Control acts as a reverse proxy redirecting the end user session to Microsoft Cloud App Security (MCAS) to monitor activities in real time. This allows for more granular control over the session in addition to the conditions laid out within the conditional access policy assignments.
There are three choices for this control that uses signals from MCAS to perform actions:
- Monitor Only (Preview): Log and audit activities within the session. This takes no action against the session. Data being monitored can be reviewed within MCAS for compliance or other security reasons and then converted to an appropriate custom session policy.
- Block downloads (Preview): Block download, cut, copy, and print of documents. This can be used to prevent data exfiltration from unmanaged devices.
- Use custom policy: Uses policies created within MCAS to enforce actions. This can include almost any access or session policies MCAS is capable of configuring, such as enforcing usage of Sensitivity Labels or Data Loss Prevention or blocking access entirely.
When a Conditional Access App Control policy is applied, users are redirected through MCAS URLs. This is how the traffic is captured and monitored. For example, the following user experience occurs when trying to access SharePoint with a Conditional Access App Policy applied. First, you are redirected to an access control URL to validate the login. Second, all subsequent URLs will use us.cas.ms as a suffix to the main URL, SharePoint in this example.
1st scenario: Highly sensitive/secure connection. Constantly reaffirm continuous access is needed. Credentials to sensitive data and applications do not persist for long periods of time to allow bad actors to steal them.
2nd scenario: Typical user environment. No need to prompt user for credentials if current session has not changed. Too many prompts can cause a typical user to enter their credentials without thinking and lead to a comprised account.
Values for hours can be anywhere from 1-23 and days can be from 1-365. Without this setting, the default value for Azure AD is a rolling 90 days.
Sign-in frequency options work for most Microsoft apps that support Modern Authentication as well as web applications including:
- Word, Excel, PowerPoint Online
- OneNote Online
- O365 Admin portal
- Exchange Online
- SharePoint and OneDrive
- Teams web client
- Dynamics CRM Online
- Azure portal
Persistent Browser Session
This option allows for users to remain signed in even after closing their browser and reopening it. This option is the same as selecting “Stay signed in?” option when authenticating to Azure AD. If setting this option, administrators should consider disabling it within Azure AD Company branding settings.
There are two options for this setting:
- Always Persistent: Will preserve authentication session token. Subsequent browser sign ins will not require reauthentication
- Never Persistent: Requires reauthentication every time
This control requires “All Apps” to be selected as a condition to configure this option. This is due to browser persistence being controlled by a single authentication session token for all tabs and windows. The entire browser session must share the persistence state.
Session controls expands upon what grant controls provide. With several options from simple reauthentication rules to complete session oversight via Microsoft Cloud App Security, Azure AD Conditional Access Session controls should provide administrators the granular controls to configure and satisfy their access requirements for unique and complex use case scenarios.
Azure AD Conditional Access Policies are indeed extremely powerful and fully authoritative when it comes to controlling access into your environment. Any app integrated into Azure AD, on-premises, or cloud, can have a policy applied. Any new policy created should use either the What-If tool or Report-Only mode prior to implementing the policy into production.
Enabling Technologies can help you properly prepare for moving to the cloud based on Microsoft Best Practices and utilizing a secure and productive environment. You can check out more in the Security section of our website.