Forum Discussion
MicrosoftBlock download in Teams (Windows 10 application)
MCAS cannot enforce session policies on desktop/native apps. Session policies and controls (including block downloads) are limited to browser sessions only. This is documented at: https://docs.microsoft.com/en-us/cloud-app-security/session-policy-aad
For native/desktop apps, MCAS can allow or block access completely using a CAS Access policy but this does not allow granular control over activities.
A typical implementation in a scenario where one wants to limit downloading of files for users on non-compliant or non-hybrid joined machines, is to have a CA policy in AAD conditional access to forward sessions to CAS (using the 'use custom policy' option) and a CAS access policy to block desktop/native apps (and force users to web-apps) and a CAS session policy to block/control downloads in these web-app sessions.
Hi rajatm , In your suggestion below can you explain how i create an CAS policy to block native apps and force users to use the Web app "CAS access policy to block desktop/native apps (and force users to web-apps) and a CAS session policy to block/control downloads in these web-app sessions."
I have an access control policy for native client as follows:
ACCESS POLICY
Device+ tag+ does not equal =Intune Compliant , Hybrid Compliant.
App=Microsoft teams
User Agent tag =Native Client
USer +NAme = (User)
Session Policy
- Control file downloads with Inspection
app=Microsoft teams
USer +Name =(User)
Device+tag=HybridAzure Ad joined,Intune compliant
cant seem to get users on a Non Supported device be stopped from downloading files from teams.
hello gd2020 , you should add a 'client app' == 'Mobile or desktop' filter to the access policy. without this filter, access policies only apply to browsers. this is documented at: https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad#access-controls . this access policy should then block users from being able to sign-in to the Teams desktop app.