Jun 19 2019 05:07 AM
I have created AIP labels. I have applied them via Microsoft Cloud App Security File policy based on DLP rules. Working fine now.
The objective is to stop those file upload to personal storage/email like gmail or dropbox. I looked upon the MCAS session policy which has session control type of control file upload (with DLP). I created one leaving App filter empty, added file filter to match classification labels with inspection method. Now it blocks file upload even to SharePoint Online.
The conditional rule is on SPO and ExO with session control using custom policy for conditional access app control.
How do I just block files to move out of environment rather blocking upload to SPO or other locations?
Jun 20 2019 08:37 AM
Thanks for your question.
This scenario is currently not supported by Cloud App Security but could be partially achieved using Windows Information Protection and Microsoft Defender ATP .
Please review the following documentation:
Sebastien
May 18 2020 03:36 AM - edited May 18 2020 03:44 AM
@Ashish Trivedi Hello, may I ask how you ended up configuring your products to meet your needs? Did you use ATP/MIP as suggested? Thanks in advance.
*edit* For information we have disabled all 'third-party storage providers' just about everywhere. I'm curious though as I would like to manage the data and not necessarily disable all features.
Apr 24 2021 02:49 AM
@Ashish Trivedi : Can you please explain steps how to block users uploading files (any labels) from sharepoint/any drive to personal drive eg G-dirve/dropbos/ gmail?
Thank you
Sep 21 2022 01:59 AM
@Ashish Trivedi In defender Could you help steps how to block users uploading files (any labels) from sharepoint/any drive to personal drive eg G-dirve/dropbos/ gmail?
Sep 18 2023 09:02 AM
Oct 03 2023 04:57 AM
That is still indeed an unresolved point @Ashish Trivedi.
Does anyone have any idea when it will be covered by MDCA? Or will it ever be?
This is quite a basic capability, what is the point of knowing upload/download traffic if we can not block those actions separately?