Don’t block your users, use Conditional Access to limit what actions a user can perform
Published Dec 10 2018 11:29 AM 7,325 Views
Microsoft

One of the most common scenarios I hear from my customers is “We want to prevent people from using Outlook on the Web or SharePoint on a personal device.” The main reason is that if attachments in email or files in SharePoint contain Protected Health Information (PHI), customers want to ensure that those files can’t move to unmanaged devices. While you can use Azure Information Protection (AIP) to label and encrypt files, many organizations are just starting their information protection journey and need a solution that can keep data at rest from being moved off of the cloud storage environment immediately. Customers also want to ensure that physicians and other clinicians can still access their email from web browsers on non-managed devices so they can stay productive and communicate effectively with patient specific information.

 

How can we solve this challenge? Azure Active Directory Conditional Access with session controls to enable limited experiences can help ensure data stays inside the cloud service. This solution can provide your organization the right balance of security and productivity. For the purpose of this article I am discussing how we can enable session control within SharePoint Online, OneDrive for Business and Exchange Online using native controls in those services and Azure Active Directory Premium. You can extend this feature to other cloud services using Microsoft Cloud App Security and Azure Active Directory premium as well, but that discussion is for another time.

 

 

Azure Active Directory Conditional AccessAzure Active Directory Conditional Access

What does the user experience look like? Let’s use the example where an end user wants to check email and look at a file using a kiosk machine at a hotel. The user will go through their normal process to go to Outlook on the Web but when they get to an email that contains an attachment, they will see a banner at the top of the email informing them that they are in a limited session and cannot download, print, or sync to that device. Additionally, the “download” and “print” options will not appear on the file or in the Office Apps.

 

pic 2.png

 

When the user clicks on OneDrive for Business or SharePoint Online, the user also will see the same banner and will have a similar experience.

 

pic 3.png

 

 

The file can be only opened in PowerPoint Online and cannot be downloaded to the device or printed.

 

These controls ensure that all documents, not just the ones with PHI, cannot be downloaded without the need for additional security tools. This ensures that documents will stay in the controlled environment and not move anywhere else. The end user can check email, edit documents in the Office Web Apps, and work as they normally would without the need for other services to protect that information. You can keep your clinical workers collaborating with the assurance that documents will not be downloaded to unmanaged devices and therefore reduce the risk of a data breach.

 

To learn more about how to configure these options, please review the following links.

3 Comments
Version history
Last update:
‎Jul 12 2019 01:53 PM
Updated by: