Forum Discussion
MicrosoftBlock download in Teams (Windows 10 application)
Hello,
Is there a way to block data exfiltration (e.g. block download) to Windows 10 Microsoft Teams application (not the web version) in a real time protection manner? Since Intune MAM policies cannot be configured for Windows 10 the only option would be WIP?
Thank you,
George
7 Replies
MCAS cannot enforce session policies on desktop/native apps. Session policies and controls (including block downloads) are limited to browser sessions only. This is documented at: https://docs.microsoft.com/en-us/cloud-app-security/session-policy-aad
For native/desktop apps, MCAS can allow or block access completely using a CAS Access policy but this does not allow granular control over activities.
A typical implementation in a scenario where one wants to limit downloading of files for users on non-compliant or non-hybrid joined machines, is to have a CA policy in AAD conditional access to forward sessions to CAS (using the 'use custom policy' option) and a CAS access policy to block desktop/native apps (and force users to web-apps) and a CAS session policy to block/control downloads in these web-app sessions.
Hi rajatm , In your suggestion below can you explain how i create an CAS policy to block native apps and force users to use the Web app "CAS access policy to block desktop/native apps (and force users to web-apps) and a CAS session policy to block/control downloads in these web-app sessions."
I have an access control policy for native client as follows:
ACCESS POLICY
Device+ tag+ does not equal =Intune Compliant , Hybrid Compliant.
App=Microsoft teams
User Agent tag =Native Client
USer +NAme = (User)
Session Policy
- Control file downloads with Inspection
app=Microsoft teams
USer +Name =(User)
Device+tag=HybridAzure Ad joined,Intune compliant
cant seem to get users on a Non Supported device be stopped from downloading files from teams.
hello gd2020 , you should add a 'client app' == 'Mobile or desktop' filter to the access policy. without this filter, access policies only apply to browsers. this is documented at: https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad#access-controls . this access policy should then block users from being able to sign-in to the Teams desktop app.
Hello,
You can block downloads in SharePoint Online and Ondrive ,
-Conditional Access Policy
Control access from unmanaged devices:
Microsoft recommends you protect content in SharePoint sites with sensitive and highly-regulated content with device access controls. You do this by creating a policy that specifies the level of protection and the sites to apply the protection to.
- Sensitive sites: Allow browser-only access. This prevents users from editing and downloading files.
- Highly regulated sites: Block access from unmanaged devices.
See "Block or limit access to specific SharePoint site collections or OneDrive accounts" in this article: Control access from unmanaged devices.
Great answer. Also worth pointing out that Conditional Access requires a minimum of Azure AD Premium P1 licence, and to use session controls you will also need to be licensed for Cloud App Security.
