Step-by-Step: Blocking Data Downloads via Microsoft Cloud App Security
Published May 02 2019 12:01 AM 29.5K Views
Iron Contributor

By using Azure AD conditional access policies, we can define who has access to what applications from where. This is purely to control the access to your app. Microsoft Cloud App Security (MCAS) allows us to extend these capabilities further into session level. Using MCAS, we can examine each session to the app in real time basis protect information further. Using Microsoft Cloud App Security, we can create policies to,


  • Block downloads – Can define policies to block download of sensitive data.
  • Protect on downloads – instead of blocking download, we can create policies to allow users to download encrypted document after authentication, even though they are login from unmanaged device.
  • Monitor risky sessions – we can setup policies to monitor session of risky sign ins. All the action from those sessions will be logged for further review.
  • Block access – If needed we can completely block access to apps if it’s from unmanaged device or non-corporate network.
  • Create read-only mode – we can create policies to create read-only mode for apps (for group of users)

Click here to learn more about Microsoft Cloud App Security.


In this demo, I am going to demonstrate how to integrate an app with Microsoft Cloud App Security and then how we can create policies to control download of sensitive data. In this demo I am going to use salesforce application with MCAS and block PDF file downloads. To start,



  • Then click on Enterprise Applications



  • Search for Salesforce under All applications and click on it. Note - If it is not an existing app, you need to go and add the app first and configure it for Azure AD ad SSO.


  • Then click on Conditional access 



  • Click on + New Policy 


  • Type name for the policy in new window. Then click on Users and Groups and select relevant user group for the app. in my demo it is Sales & Marketing group. at the end click on Done to complete the selection.


  • Click on Grant under access controls and make sure default grant access settings selected.


  • Under the sessions select use proxy enforced restriction.


  • At the end click On under Enable policy. Then click on Create to complete the policy.



  • In new window click on Conditional Access App Control apps tab. There we can see it discovered sales force app. Please note once you configured the initial policy under Azure AD, you need to log in to sales force via . Then only it will trigger the update.

         Then click on Continue setup…. link.



  • It will issue a pop-up. Click on Add to proceed.


  • Then under available controls, click on session control.


  • In new window, click on create policy drop down and select session policy


  • In policy window, type name for policy first. Then change policy severity to High. Change session control type to control file downloadThen under activity filters to the policy, set app equal to Salesforce. Same time remove any other filter in that section.



  • Then under file filters to the policy, set extension equals to pdf. At last select block under actions.


  • At the end click on create to setup the policy.


  • According to above policy, if a user trying to download PDF file under Salesforce app, it will be blocked. So now it’s time for testing. I logged in to as a user from sales team. Then I click on Salesforce app to launch it.



  • In home page, it says access to Salesforce is monitored. Click on continue to Salesforce.


  • Under files, I have a PDF file shared by admin. I click on download option.


  • As expected, I receive download blocked message.



  • Also, it downloads a .txt file same time which contain details of the block.


  • In the Microsoft Cloud App Security logs, we can see detailed information related to file block.



Version history
Last update:
‎Apr 27 2021 07:36 AM
Updated by: