Session controls VS grant controls

Omar Tsai 20 Reputation points
2024-04-24T13:42:30.04+00:00

Does anyone know if passing grant controls in CAP but not session controls will bypass CAP? Moreso in the context of MCAS, where you can set up conditional access using certificates to do something say "block access to devices with no certificate present". If admins configured a CAP with both MFA control grant and MCAS session control grant, would the session control grant just be bypassed if a user presents their MFA?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,561 questions
0 comments
Accepted answer
  1. Domooney-MSFT 2,476 Reputation points Microsoft Employee
    2024-04-24T15:38:43.9266667+00:00

    Hi Omar Tsai,

    Thank you for posting your query on Microsoft Q&A!

    If the Sign-in matches the Assignments (User, Target resources, Conditions) then both Access Controls (Grant & Session) will apply.

    It would not be possible to bypass the Session controls by providing MFA, even if user has an existing MFA token the session controls will still apply.

    Do let me know if this helps or if you have any further queries.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    Kind Regards,

    Donal

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest