Recently I was working with a customer securing their Office 365 environment using Intune & Conditional Access, they had previously created a bunch of rules created to restrict access, which seemed to work for most scenarios but there was one issue that was identified.
The current rules allowed only external web based access with MFA, however it was discovered that SharePoint users were able to map their devices using Windows Explorer, which the customer didn’t want.
The legacy client option in Conditional Access was not affecting it, after a little digging and speaking with colleagues I found this snippet from :https://docs.microsoft.com/en-us/sharepoint/authentication
Session and persistent cookies
By default, all SharePoint Online cookies are session cookies. These cookies are not saved to the browser’s cookie cache and instead are deleted whenever the browser is closed. Azure AD provides a Keep Me Signed In button during login that passes a signal to Office 365 to enable persistent cookies. These cookies are saved to the browser’s cache and will persist even if the browser is closed or the computer is restarted.
Persistent cookies have a huge impact on the sign-in experience by reducing the number of authentication prompts users see. Persistent cookies are also required for some SharePoint Online features, such as Open with Explorer and Mapped Drives.
After disabling the option to stay signed in within the Company Branding section of Azure AD, external desktop clients were no longer able to map drives as SharePoint locations.
Now, what if we actually wanted this option to remain signed in? Well, there is an option in Conditional Access to override this setting (currently in preview at time of writing)