In an Azure AD Conditional Access policy, the Grant control is used to enforce specific requirements for access to be allowed. To mandate multi-factor authentication (MFA), an administrator must configure the policy to "Grant access" but "Require multi-factor authentication" within these settings. This control block determines the actions a user must take to gain access to the specified cloud applications.

The Session control settings in a Conditional Access policy are used to manage the user's session after they have successfully authenticated. To force a user to re-authenticate after a specific period, such as every eight hours, an administrator would configure the "Sign-in frequency" option within the Session settings. This feature dictates the time a user can remain signed in before they are prompted to provide their credentials again.

Microsoft Documentation (Azure AD): "Conditional Access: Grant". Microsoft Learn. Under the section "Require multi-factor authentication," it states, "This control requires users to complete multi-factor authentication." This directly maps the MFA requirement to the Grant control.

Microsoft Documentation (Azure AD): "Conditional Access: Session". Microsoft Learn. The document details the "Sign-in frequency" control, stating, "Sign-in frequency defines the time period before a user is asked to sign in again when attempting to access a resource." This confirms that re-authentication intervals are managed under Session settings.