Access controls

Access controls allow you to specify whether the assignments you've configured are meant to allow or restrict access and whether there are additional caveats to that access. You can configure two sections, Grant and Session:

• Grant: With grants, you can specify additional requirements that must be met or block access entirely. You could choose all of the following, or require that just one of them is met:
  • Require MFA
  • Require device compliance
  • Require hybrid AD joined device
  • Require approved client app
  • Require app protection policy
• Session: With sessions, you can permit limited or full experiences in SharePoint and Exchange by passing device information to the apps, or force more frequent reauthentication. You're able to configure each of the following controls:
  • Use app enforced restrictions (SharePoint Online and Exchange Online only)
  • Use conditional access app control
  • Sign-in frequency
  • Persistent browser session

First, we'll look at whether or not we should block or allow access. We can do this in the Grant section.