In this blog I’ll show you step by step instructions for data protection on unmanaged devices. We can do this using Microsoft Defender for Cloud Apps and Conditional Access policies. This blog will show you how to prevent:
- Cut/Copy data from your O365 environment to (unmanaged) device
- Paste data from an (unmanaged) device to your O365 environment
- Download data from your O365 Environment to (unmanaged) device
- Block access to Desktop Apps from unmanaged devices (force browser usage)
License requirements
Microsoft Defender for Cloud Apps requires some licensing and Conditional Access which is part of Azure AD Premium P1 and P2.
- Microsoft 365 E5
- Microsoft 365 E5 Security (1)
- Microsoft 365 E5 Compliance (1)
- Microsoft 365 F5 Security (2)
- Microsoft 365 F5 Compliance (2)
- Microsoft 365 F5 Sec+Comp (2)
- Enterprise Mobility + Security E5
- Requires Microsoft 365 E3 or Office 365 E3 and Enterprise Mobility + Security E3)
- Requires Microsoft 365 F1/F3 or Office 365 F3 and Enterprise Mobility + Security E3
Enable File scanning
First, we enable File scanning which enables Microsoft Defender for Cloud Apps, to see your data within SaaS applications.
Settings -> Information Protection -> Files -> Enable file monitoring
Office 365 App Connector
We’re going to protect our Office 365 data. This means that all data in OneDrive, SharePoint and Teams will be protected by this policy. They all are part of the Office 365 “App” within Microsoft Defender for Cloud Apps.
We have to enable the Office 365 app in the App Connector blade. Probably the Office 365 is already shown but not configured. Check the following steps in the Defender for Cloud Apps portal.
Investigate -> Connected apps -> App connectors.
Modify the Office 365 App connector. Select all components and click Connect. If you are not able to select Office 365 files, you probably forgot to enable file scan monitoring.
Create Conditional Access policies
We need to create some Conditional Access policies first, this policy integrates Azure AD with Microsoft Defender for Cloud Apps. Without a Conditional Access policy doing this, you won’t be able to implement these copy/cut/paste/download policies.
Within the Azure Portal. Navigate to Azure Active Directory -> Security -> Conditional Access and click New Policy.
Configure the following policies:
- Name: Unmanaged – O365 – All Users – Browser – Block Download (MCAS)
- Users: Include all users, exclude specific if needed
- Cloud apps or actions: select Office 365
- Conditions – Client apps: select browser
- Conditions – Filter for devices – Exclude filtered devices from policy: device.deviceOwnership -eq “Company” -or device.isCompliant -eq True
- Session: Use Conditional Access App Control -> Block Downloads
- Enable policy: Report only
Note: This policy blocks all users who are accessing Office 365 from unmanaged devices to download data to the local storage device.
- Name: Unmanaged – O365 – All Users – Desktop Apps – Block access (MCAS)
- Users: Include all users, exclude specific if needed
- Cloud apps or actions: select Office 365
- *Conditions – Device platforms – Include: Any device
- *Conditions – Device platforms – Exclude: Android/iOS (Only if these are not managed!)
- Conditions – Client apps: Mobile apps and desktop clients
- Conditions – Filter for devices – Exclude filtered devices from policy: device.deviceOwnership -eq “Company” -or device.isCompliant -eq True
- Grant: Block access
- Session: Use Conditional Access App Control -> Use custom policy…
- Enable policy: Report only
Note: This policy blocks access to the Office 365 Mobile and Desktop apps on unmanaged devices for all users. It forces them to use the browser apps instead. In combination with the first Conditional Access policy they cannot download data from the browser apps to the local storage device. Only exclude device platforms like Android and iOS if these devices are not managed by Intune! Protecting the data from these devices should then be done with App Protection policies. If you don’t exclude these mobile device platforms, access to e.g. Outlook, Teams, OneDrive is blocked.
- Name: Unmanaged – O365 – All Users – Browser – Block cut/copy/paste/print (MCAS)
- Users: Include all users, exclude specific if needed
- Cloud apps or actions: select Office 365
- *Conditions – Device platforms – Include: it depends..
- *Conditions – Device platforms – Exclude: it depends..
- Conditions – Client apps: Browser
- Conditions – Filter for devices – Exclude filtered devices from policy: device.deviceOwnership -eq “Company” -or device.isCompliant -eq True
- Session: Use Conditional Access App Control -> Use custom policy…
- Enable policy: Report only
Note: This policy prevents the users from copying, cutting, pasting or printing data from unmanaged devices while using the browser. In combination with both other conditional access policies, users are forced to use the browser and cannot download, cut, copy, paste or print data. This means, users can only read and modify data which cannot be leaked from Office 365.
Once completed, you will have the following Conditional Access policies.
Add Conditional Access App Control apps
Verify if Office 365 apps are already available in the Conditional Access App Control apps list by viewing Investigate -> Connected Apps -> Conditional Access App Control apps.
If there are no applications available you won’t be able to create specific policies. We have to make sure Office 365 apps are available. When you see “There are no Conditional Access App Control apps” we need to create a Conditional Access policy first. If you skipped the step before I recommend you to implement these Conditional Access policies.
After you’ve created the policy, sign in to each app configured in that policy. Make sure you sign in using a user configured in the policy. Defender for Cloud Apps will sync your policy details to its servers for each new app you sign in to. This may take up to one minute. Reload the page and verify the applications are being added.
Note: If the applications are still not being added you need to enable the Conditional Access policies instead of report-only. In this case I recommend to apply the policy to a specific test user only before enabling it for the entire organization (all users). Once completed, wait a few minutes and logon to the applications once again.
Create first policy from template
Microsoft Defender for Cloud Apps comes with default policies and some default templates. The policy we need is available as a template policy. This makes it easy for us to implement the specific requirement.
Within Defender for Cloud Apps, go to Control -> Templates and look for the following policy: Block cut/copy and paste based on real-time content inspection. Click on the + at the end of the rule to create and modify the template.
- Modify the Policy name. I’ve added print to the title.
- Modify the filter. Make sure to add print.
- Add a new filter option: App – Equals – Microsoft Online Services.
Now, we unselect (disable) use content inspection.
Click create. The policy is now activated.
Create second policy from template
Within Defender for Cloud Apps, go to Control -> Templates and look for the following policy: Block download based on real-time content inspection. Click on the + at the end of the rule to create and modify the template.
- Add a new filter option: App – Equals – Microsoft Online Services.
Click create. The policy is now activated.
User experience (unmanaged device)
For managed devices, nothing changes at all. There’s no need to show some user experience from these devices. The unmanaged devices are totally different now. Lets see what happens after we activate this policy.
Microsoft 365 Apps: Access to Teams, OneDrive, Word, Excel, Access, PowerPoint, Outlook, etc. is being blocked immediately. The end-user will see the following error.
Microsoft 365 Web Apps: Traffic is being monitored by Microsoft Defender for Cloud Apps. Notice the URL! This one is now changed for the end-user. Click Continue to Office Portal.
The end-user notices this message telling him he/she is unable to download, copy, paste or print the data.
When trying to copy or paste data in the Word document the user is being presented with the following screen. The data is not copied or pasted in the document.
The download button for the document (within SharePoint) is gone. The user can’t download the document to his/her local (unmanaged) device.
Conclusion
Data is being protected by Microsoft Cloud App Security. It cannot leave the protected space and/or cannot be saved to a unmanaged device its local storage. This has positive results in terms of data leakage protection.
Managed devices continue to work as they did already. The users in combination with the managed device are allowed to open data and desktop/client apps.
Unmanaged devices cannot use desktop/client apps as these are blocked. The unmanaged device require the user to use the browser which can be protected with different policies. One of them is to prevent downloading data to the local storage. The users can continue to work on unmanaged devices as long as they have a browser (Edge recommended) available.
Hello,
I followed this guide and set up the 3 conditional access policies, and the 2 CAS policies. However, for some reason, it’s not actually triggering on either my own account or a test account when I try this on an unmanaged personal device.
I see the top browser URL show MCAS and once I did get the weekly notice about monitoring, but, then it has since been just the normal URLs and none of this is triggering.
I did flip the CA policies to On instead of Report Only, and I do also see the apps in MCAS. I did the filtering for devices mentioned, but just unsure what I might be missing that seems to be getting by as it does show MCAS when signing in to office.com and then just is normal.
Hi Brett,
Do you see all the applications or at least “Microsoft 365 – General” under “Conditional Access App Control apps”? I’ve seen once that i had to play with some authentications/applications on managed and unmanaged devices before they showed up and be aware of being “controlled”.
Hi Joey,
what is the different between this option and the Use app enforced restrictions. We have activate the option in sharepoint for unmanaged devices web-only access.
We have also create an conditional access appyl this for web for unregisterd devices.
So the user will be able to logon on the web but is not able to dowload. Can you explain the difference ? There is also not needed for an E5 license 🙂
Hi Deniz,
Defender for Cloud Apps gives more granular control and monitoring. It somehow gives the same results and prevents the E5 license indeed. Most people use App Enforced Restrictions and that is fine. It’s also my preferred method right now.