Forum Discussion

krishnasembee's avatar
krishnasembee
Copper Contributor
Jul 15, 2021

Block upload of documents to other office 365 tenant

I wish to block upload of documents to Other Office 365 tenant on a managed device?   Can this be achieved using MCAS
Cloud App Security
krishnasembee's avatar
krishnasembee
Copper Contributor
Jul 30, 2021
Hello,

I am not talking about sharing or collaborating here, I am talking about upload.

on my corporate device, i can log in to any office 365 tenant and upload documents of my tenant, i want to restrict to only single tenant
MZyarah's avatar
MZyarah
Brass Contributor
Jul 30, 2021

krishnasembee 

This is not even related to uploading or sharing files, if you don't want your corporate devices access to other tenants you need to use Azure AD tenant restrictions, take a look https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions

 

I hope this will be helpful. 

 

  • Darren_Bennett's avatar
    Darren_Bennett
    Copper Contributor
    Jul 30, 2021
    What about non-cooperate devices?

    • Darren_Bennett's avatar
      Darren_Bennett
      Copper Contributor
      Jul 30, 2021

      What if all data is encrypted? What happens to sharing or uploading or any other means of exfiltration?

      Sharing, uploading, it doesn't matter if the data is encrypted and only corporate devices can be used to authenticate so they can access the data.

      • MZyarah's avatar
        MZyarah
        Brass Contributor
        Jul 30, 2021
        As I know tenant restrictions not applied beyond corporate network perimeter or maybe it can be done with special criteria.

        About the Encryption, for me I like to Encrypt the data everywhere however the main question was the MCAS is able to fix this issue!

        In the question which not clear enough, I don't think the encryption will solve the requirements.

        Let's consider this scenario, you have access for two tenants, one of them provided you with a managed device " mentioned in the main question also".

        Now you have Managed Device and access to data in Tenant1 and Only access to data in tenant2 (you can consider the data is encrypted at rest and in transit if you like)

        for example, what will prevent the user from opening a web session and browse to the tenant2 OneDrive and copy data from the local/tenant1 data to the second one?

        If the encryption help, can you refer me to a doc/blog explaining same thing please.

Resources