Block Downloads, Copy and Paste from M365 Windows Apps on Unmanaged Devices

Chris, combining app-enforced restrictions and session policies as Keith outlined provides a good data protection foundation. Additionally, I would leverage Sensitivity labels to enable more granular control over copy/paste, download, and access policies based on content types rather than blanket restrictions. Tailoring Sensitivity labels by content makes restrictions smarter - you can dictate that only financial or PII data face restrictions while allowing flexibility for other content. And labels provide helpful auditing trails. This layered model - app restrictions, session policies, and targeted Sensitivity labels - delivers preventative and detective controls for comprehensive data governance. It enforces protection consistently across apps and devices.

Nonetheless, I still advise having backup solutions for your Microsoft 365 data as a last line of defense. Even robust preventative measures can fail, making recovery capabilities critical. Let me know if you want recommendations on backup options.