A finance team accesses a sensitive payroll web app. The security lead wants users to reauthenticate every hour while inside the app, without forcing reauthentication for any other application. Which Conditional Access configuration meets this requirement with the least administrative effort?
- ACreate a policy scoped to the payroll app and configure the sign-in frequency session control to a periodic value of one hour. Correct
- BCreate a policy targeting all cloud apps and set the sign-in frequency session control to one hour for every user in the tenant.
- CCreate a policy scoped to the payroll app and enable the persistent browser session control so the browser session expires after one hour.
- DCreate a policy scoped to the payroll app and set the grant control to require multi-factor authentication on every single sign-in event.
Why A is correct: Scoping the policy to the single payroll app and using the sign-in frequency session control enforces hourly reauthentication only where required, satisfying the precise scope.
Why B is wrong: Targeting all cloud apps applies the hourly reauthentication far beyond the payroll app, which breaks the stated requirement to leave other applications untouched.
Why C is wrong: Persistent browser session controls whether cookies survive browser closure; it does not impose a periodic one-hour reauthentication interval inside an active session.
Why D is wrong: Requiring MFA defines the strength of a grant, not a timed reauthentication interval, so it does not deliver the hourly cadence the requirement specifies.