Forum Discussion
Enforce MFA when user download sensitive document
Hi All,
I have tested the scenario, Block download using custom session based conditional access policy in Cloud Apps. However, I was wondering whether we can enforce MFA when user download sensitive documents rather than blocking the download.
I would appreciate the help!
Thanks in advance,
Dilan
- You can configure it on the Site level via auth context: https://office365itpros.com/2021/06/10/azure-ad-authentication-context-sensitivity-labels/
At the moment, you cannot use it for individual labeled files. The other option is to target AIP as a cloud app via Conditional access policy, but that is even broader than doing it per-site.
5 Replies
- Thank you all for the explanations and value comments. this is actually one of my clients requiement.
- Keith_Fleming
Microsoft
Hi dilanmic,
As VasilMichev mentioned this is possible using authentication context. The site would need to have a label and within Defender for Cloud Apps you would specify "require step-up authentication"
It's the same concept described in this article (the action is just different).
Protect sensitive SharePoint sites with Defender for Cloud Apps - Microsoft Tech Community
- Doug_San
Like VasilMichev and Keith_Fleming said, authentication context can help here, as long you are using Azure AD Conditional Access to send the user session for Defender for Cloud apps.
One minor observation:
Although you can do this at the SPO site level, you don't need to. You can invoke re-authentication via authentication context as an action of file inspection.
In other words, after you configure Azure AD authentication context polices to require MFA, you can change the action on your session police from "Block" to "Require step-up authentication" and map to the policy you created in Azure AD.
The only caveat is that if the user has already performed MFA before, granted that everything remains the same, (user in good state/same device/browser) the MFA prompt will be satisfied silently by cached token in the computer/browser.Doug_San I'm sorry but I don't understand your post here. The whole idea of step-up authentication is that you'd like to force another MFA prompt even though you have a valid claim. Please elaborate 🙂
- You can configure it on the Site level via auth context: https://office365itpros.com/2021/06/10/azure-ad-authentication-context-sensitivity-labels/
At the moment, you cannot use it for individual labeled files. The other option is to target AIP as a cloud app via Conditional access policy, but that is even broader than doing it per-site.
