Step-by-Step: Blocking Data Downloads via Microsoft Cloud App Security
Published May 02 2019 12:01 AM 28.4K Views
Iron Contributor

By using Azure AD conditional access policies, we can define who has access to what applications from where. This is purely to control the access to your app. Microsoft Cloud App Security (MCAS) allows us to extend these capabilities further into session level. Using MCAS, we can examine each session to the app in real time basis protect information further. Using Microsoft Cloud App Security, we can create policies to,

 

  • Block downloads – Can define policies to block download of sensitive data.
  • Protect on downloads – instead of blocking download, we can create policies to allow users to download encrypted document after authentication, even though they are login from unmanaged device.
  • Monitor risky sessions – we can setup policies to monitor session of risky sign ins. All the action from those sessions will be logged for further review.
  • Block access – If needed we can completely block access to apps if it’s from unmanaged device or non-corporate network.
  • Create read-only mode – we can create policies to create read-only mode for apps (for group of users)

Click here to learn more about Microsoft Cloud App Security.

 

In this demo, I am going to demonstrate how to integrate an app with Microsoft Cloud App Security and then how we can create policies to control download of sensitive data. In this demo I am going to use salesforce application with MCAS and block PDF file downloads. To start,

 

 cas1.jpg 

  • Then click on Enterprise Applications

cas2.jpg

 

  • Search for Salesforce under All applications and click on it. Note - If it is not an existing app, you need to go and add the app first and configure it for Azure AD ad SSO.

cas3.jpg 

  • Then click on Conditional access 

cas4.jpg

 

  • Click on + New Policy 

cas5.jpg

  • Type name for the policy in new window. Then click on Users and Groups and select relevant user group for the app. in my demo it is Sales & Marketing group. at the end click on Done to complete the selection.

 cas6.jpg 

  • Click on Grant under access controls and make sure default grant access settings selected.

cas7.jpg 

  • Under the sessions select use proxy enforced restriction.

cas8.jpg 

  • At the end click On under Enable policy. Then click on Create to complete the policy.

 cas9.jpg 

cas10.jpg 

  • In new window click on Conditional Access App Control apps tab. There we can see it discovered sales force app. Please note once you configured the initial policy under Azure AD, you need to log in to sales force via https://myapps.microsoft.com . Then only it will trigger the update.

         Then click on Continue setup…. link.

 

cas11.jpg 

  • It will issue a pop-up. Click on Add to proceed.

 cas12.jpg 

  • Then under available controls, click on session control.

cas13.jpg 

  • In new window, click on create policy drop down and select session policy

cas14.jpg 

  • In policy window, type name for policy first. Then change policy severity to High. Change session control type to control file downloadThen under activity filters to the policy, set app equal to Salesforce. Same time remove any other filter in that section.

cas15.jpg

 

  • Then under file filters to the policy, set extension equals to pdf. At last select block under actions.

cas16.jpgcas17.jpg 

  • At the end click on create to setup the policy.

cas18.jpg 

  • According to above policy, if a user trying to download PDF file under Salesforce app, it will be blocked. So now it’s time for testing. I logged in to https://myapps.microsoft.com as a user from sales team. Then I click on Salesforce app to launch it.

cas19.jpg

 

  • In home page, it says access to Salesforce is monitored. Click on continue to Salesforce.

 cas20.jpg 

  • Under files, I have a PDF file shared by admin. I click on download option.

cas21.jpg 

  • As expected, I receive download blocked message.

cas22.jpg

 

  • Also, it downloads a .txt file same time which contain details of the block.

cas23.jpg

  • In the Microsoft Cloud App Security logs, we can see detailed information related to file block.

cas24.jpg

 

6 Comments
Copper Contributor

Great write up. Thanks!

Great write up but the product name is Microsoft Cloud App Security (MCAS) and not Azure Cloud App Security. https://www.microsoft.com/en-us/enterprise-mobility-security/cloud-app-security

Brass Contributor

I'm still foggy on one part of this do you need to use the myapps portal to get these security features?  We have a few rp initiated apps in azure and was thinking these might bypass the reverse proxy components.  

Brass Contributor

How can i block downloading files with sensitive data from personal desktop application (thick client), not browser?

Copper Contributor

Can you explain a similar scenerio but with TEAMS native app and not a browser APP ? How can we control the ability of users downloading files from teams in the teams Desktop app 

Brass Contributor

@Dishan_Francis 

we are receiving this error when we try to download pdf files from client Sharepoint site. We have gone to our company IT who has said it is client policies. We have gone to client IT who says it is our policies. Neither of which is helpful and we are unable to get the pdf files which is critical to performing the work client has hired us for. 
Is there a way to figure out exactly which company has employed policies that is preventing the download. Also, curiously 3 weeks ago we were downloading the files with no issue. 

Co-Authors
Version history
Last update:
‎Apr 27 2021 07:36 AM
Updated by: