SOLVED

Current state of Session controls for Office 365?

%3CLINGO-SUB%20id%3D%22lingo-sub-313818%22%20slang%3D%22en-US%22%3ECurrent%20state%20of%20Session%20controls%20for%20Office%20365%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-313818%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20a%20bit%20confused%20about%20the%20current%20state%20of%20activity%20controls%20in%20the%20public%20preview%20of%20Conditional%20Access%20App%20Controls%20for%20Office%20365%3F%20The%20only%20one%20I%20have%20available%20in%20my%20tenant%20is%20'Block%20Print'%20-%20which%20works%20reasonably%20well%2C%20but%20makes%20no%20practical%20sense%20combined%20with%20a%20lack%20of%20ability%20to%20prevent%20download%20of%20the%20same%20file%3A%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F65867i5F9A03AF43AB974D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%222019-01-11_17-20-41.png%22%20title%3D%222019-01-11_17-20-41.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20this%20simply%20mean%20that%20that%20one%20control%20was%20made%20available%20to%20simply%20illustrate%20the%20potential%20use%20of%20the%20technology%2C%20and%20is%20not%20intended%20to%20be%20used%20for%20anything%20other%20than%20that%20at%20this%20stage%3F%20Or%20am%20I%20missing%20something%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-313818%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-314468%22%20slang%3D%22en-US%22%3ERe%3A%20Current%20state%20of%20Session%20controls%20for%20Office%20365%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-314468%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Alex%20-%20thanks%20for%20getting%20back%20to%20me!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%2C%20it's%20the%20fact%20that%20two%20policies%20of%20different%20type%20rather%20than%20just%20one%20are%20required%20to%20achieve%20the%20desired%20effect%20that%20I%20missed.%20It%20is%20perfectly%20clear%20to%20me%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-314352%22%20slang%3D%22en-US%22%3ERe%3A%20Current%20state%20of%20Session%20controls%20for%20Office%20365%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-314352%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Sergey%2C%20happy%20to%20help%20you%20resolve%20this.%20Block%20download%20is%20possible%20in%20any%20app%26nbsp%3Bwith%20session%20controls%20(the%20list%20of%20featured%20apps%20can%20be%20found%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fproxy-intro-aad%23supported-apps-and-clients%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fproxy-intro-aad%23supported-apps-and-clients%3C%2FA%3E).%20From%20your%20screenshots%2C%20it%20looks%20like%20download%20is%20not%20being%20blocked%20because%20a%20relevant%20policy%20is%20not%20triggered.%20To%20create%20a%20relevant%20policy%20for%20download%20controls%2C%20it%20should%20be%20of%20type%20%22Control%20file%20download%20(with%20DLP)%22%2C%20in%20addition%20to%20the%20%22Block%20Activities%22%20policy%20you%20have%26nbsp%3Bcreated%20for%20Print.%20If%20you%20have%20any%20follow%20up%20questions%2C%20please%20reach%20out%20directly%20to%20me%20at%20alex.esibov%40microsoft.com%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-313822%22%20slang%3D%22en-US%22%3ERe%3A%20Current%20state%20of%20Session%20controls%20for%20Office%20365%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-313822%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F217812%22%20target%3D%22_blank%22%3E%40Tristan%20Watkins%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

I am a bit confused about the current state of activity controls in the public preview of Conditional Access App Controls for Office 365? The only one I have available in my tenant is 'Block Print' - which works reasonably well, but makes no practical sense combined with a lack of ability to prevent download of the same file:2019-01-11_17-20-41.png

 

 

Does this simply mean that that one control was made available to simply illustrate the potential use of the technology, and is not intended to be used for anything other than that at this stage? Or am I missing something? 

3 Replies
Highlighted
Highlighted
Best Response confirmed by Sergey Zelenov (New Contributor)
Solution

Hi Sergey, happy to help you resolve this. Block download is possible in any app with session controls (the list of featured apps can be found here: https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad#supported-apps-and-clients). From your screenshots, it looks like download is not being blocked because a relevant policy is not triggered. To create a relevant policy for download controls, it should be of type "Control file download (with DLP)", in addition to the "Block Activities" policy you have created for Print. If you have any follow up questions, please reach out directly to me at alex.esibov@microsoft.com

Highlighted

Hi Alex - thanks for getting back to me!

 

Yes, it's the fact that two policies of different type rather than just one are required to achieve the desired effect that I missed. It is perfectly clear to me now.