Blog Post

ITOps Talk Blog
3 MIN READ

Step-by-Step: Blocking Data Downloads via Microsoft Cloud App Security

Dishan_Francis's avatar
Dishan_Francis
Iron Contributor
May 02, 2019

By using Azure AD conditional access policies, we can define who has access to what applications from where. This is purely to control the access to your app. Microsoft Cloud App Security (MCAS) allows us to extend these capabilities further into session level. Using MCAS, we can examine each session to the app in real time basis protect information further. Using Microsoft Cloud App Security, we can create policies to,

 

  • Block downloads – Can define policies to block download of sensitive data.
  • Protect on downloads – instead of blocking download, we can create policies to allow users to download encrypted document after authentication, even though they are login from unmanaged device.
  • Monitor risky sessions – we can setup policies to monitor session of risky sign ins. All the action from those sessions will be logged for further review.
  • Block access – If needed we can completely block access to apps if it’s from unmanaged device or non-corporate network.
  • Create read-only mode – we can create policies to create read-only mode for apps (for group of users)

Click here to learn more about Microsoft Cloud App Security.

 

In this demo, I am going to demonstrate how to integrate an app with Microsoft Cloud App Security and then how we can create policies to control download of sensitive data. In this demo I am going to use salesforce application with MCAS and block PDF file downloads. To start,

 

  

  • Then click on Enterprise Applications

 

  • Search for Salesforce under All applications and click on it. Note - If it is not an existing app, you need to go and add the app first and configure it for Azure AD ad SSO.

 

  • Then click on Conditional access 

 

  • Click on + New Policy 

  • Type name for the policy in new window. Then click on Users and Groups and select relevant user group for the app. in my demo it is Sales & Marketing group. at the end click on Done to complete the selection.

  

  • Click on Grant under access controls and make sure default grant access settings selected.

 

  • Under the sessions select use proxy enforced restriction.

 

  • At the end click On under Enable policy. Then click on Create to complete the policy.

  

 

  • In new window click on Conditional Access App Control apps tab. There we can see it discovered sales force app. Please note once you configured the initial policy under Azure AD, you need to log in to sales force via https://myapps.microsoft.com . Then only it will trigger the update.

         Then click on Continue setup…. link.

 

 

  • It will issue a pop-up. Click on Add to proceed.

  

  • Then under available controls, click on session control.

 

  • In new window, click on create policy drop down and select session policy

 

  • In policy window, type name for policy first. Then change policy severity to High. Change session control type to control file downloadThen under activity filters to the policy, set app equal to Salesforce. Same time remove any other filter in that section.

 

  • Then under file filters to the policy, set extension equals to pdf. At last select block under actions.

 

  • At the end click on create to setup the policy.

 

  • According to above policy, if a user trying to download PDF file under Salesforce app, it will be blocked. So now it’s time for testing. I logged in to https://myapps.microsoft.com as a user from sales team. Then I click on Salesforce app to launch it.

 

  • In home page, it says access to Salesforce is monitored. Click on continue to Salesforce.

  

  • Under files, I have a PDF file shared by admin. I click on download option.

 

  • As expected, I receive download blocked message.

 

  • Also, it downloads a .txt file same time which contain details of the block.

  • In the Microsoft Cloud App Security logs, we can see detailed information related to file block.

 

Updated Apr 27, 2021
Version 5.0
  • Peggy Lang's avatar
    Peggy Lang
    Brass Contributor

    Dishan_Francis 

    we are receiving this error when we try to download pdf files from client Sharepoint site. We have gone to our company IT who has said it is client policies. We have gone to client IT who says it is our policies. Neither of which is helpful and we are unable to get the pdf files which is critical to performing the work client has hired us for. 
    Is there a way to figure out exactly which company has employed policies that is preventing the download. Also, curiously 3 weeks ago we were downloading the files with no issue. 

  • gd2020's avatar
    gd2020
    Copper Contributor

    Can you explain a similar scenerio but with TEAMS native app and not a browser APP ? How can we control the ability of users downloading files from teams in the teams Desktop app 

  • VKantamneni's avatar
    VKantamneni
    Brass Contributor

    How can i block downloading files with sensitive data from personal desktop application (thick client), not browser?

  • Tony Roth's avatar
    Tony Roth
    Brass Contributor

    I'm still foggy on one part of this do you need to use the myapps portal to get these security features?  We have a few rp initiated apps in azure and was thinking these might bypass the reverse proxy components.