Forum Discussion
Blocking domain for group of users/or devices
Hi all,
I am trying to find a way to block youtube for a group of users. We are using M365 E5 Security so can use Defender for endpoint or Defender for cloud apps. However, cant find a way to implement this.
- My idea was to create an INDICATOR in Endpoint that will be blocked, however I cannot select any group and "all devices" are included there in default. So not sure if this is a way. Neither Web Content Filtering cannot be used for my scenario
- Another idea was to use Defender for cloud apps. This looks promising but I am not sure how to target only specific users or devices? I managed to mark an app as "unsanctioned" but it applies for all devices.
Any idea ?
Thank you.
3 Replies
The problem I'm having is I can block "sharefile.com" for all users, and dropbox.com for all users. I have to be able to have specific groups of devices or users that are able to access sharefile.com and dropbox.com. The problem arises when I have to have one computer/user needing access to multiple blocked websites. A device can only be a member of one Defender Device Group. Lots of things I'm reading say the URL block indicators should still work if the device is tagged in Defender, which they are. It's only allowing access to the site covered by the Device Group the device is a member of. This is killing me.
You can create a Device Group in Defender for Endpoint to target specific devices for blocking YouTube.
Here’s how you can do it:
Go to Microsoft 365 Defender → Settings → Endpoints → Permissions → Device Groups.
Create a new device group based on tags or other criteria (like OS, domain, etc.).
Assign a tag (e.g., BlockYouTube) to the target devices under Manage Tags in the Devices section.
Go to Settings → Indicators → URLs/Domains → Add youtube.com as a blocked domain.
Select the device group you created as the target.
Alternatively, if you want to block YouTube for specific users rather than devices, you can set up a Conditional Access App Control policy in Defender for Cloud Apps:
Create a Conditional Access policy in Entra Admin Center targeting specific users.
In Defender for Cloud Apps, create a Session Policy to block YouTube for those users.
If you want to block access based on specific users, a Conditional Access policy + MCAS session control would be better.
If you want to block access based on specific devices, using Device Groups in Defender for Endpoint would be more effective.
you can do that easily with GSA and you control the ‘who’ by Conditional Access
you can also do that by MCAS and/or indicators of compromise (url) - basically Smart Screen - but that is extremely cumbersome, you have to select devices (and that weird concept that device can only belong to single device group) and not users, and slow to apply - minutes to hours, sometimes applies inconsistently - thats your second option
