A company uses Microsoft Entra ID and a third-party SaaS application. They want to prevent users from downloading sensitive documents from the SaaS app when accessing from unmanaged personal devices, while still allowing read-only access. Which Conditional Access control should they apply to achieve this?
Session policies in Microsoft Defender for Cloud Apps allow granular controls, such as blocking download while permitting read-only access, based on device state.
Why this answer
Option C is correct because Microsoft Defender for Cloud Apps (MDCA) session policies enable granular control over user actions within a SaaS app, such as blocking downloads while allowing read-only access. This is achieved through reverse proxy architecture that intercepts and enforces policies on HTTP/HTTPS traffic in real time, regardless of device compliance or identity provider status. Conditional Access with MDCA session control is the only option that provides app-level data protection without requiring device management or blocking access entirely.
Exam trap
The trap here is that candidates often confuse identity-based controls (like MFA or device compliance) with app-level data protection controls, not realizing that only MDCA session policies can enforce granular actions like 'block download' while still allowing read-only access within the app itself.
How to eliminate wrong answers
Option A is wrong because requiring multifactor authentication (MFA) only verifies identity and does not control what users can do within a SaaS app after authentication, such as downloading documents. Option B is wrong because requiring a compliant device via Intune compliance policy would block access entirely from unmanaged personal devices, rather than allowing read-only access while preventing downloads. Option D is wrong because blocking access would prevent all access, including the desired read-only capability, which is too restrictive for the requirement.