File or Access policy to restrict file downloads

%3CLINGO-SUB%20id%3D%22lingo-sub-1141476%22%20slang%3D%22en-US%22%3EFile%20or%20Access%20policy%20to%20restrict%20file%20downloads%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1141476%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EWe%20have%20multiple%20web%20applications%20that%20are%20built%20to%20be%20accessible%20outside%20of%20our%20corporate%20network.%26nbsp%3B%20Some%20of%20the%20important%20features%20are%20to%20be%20able%20to%20generate%20PDFs%20and%20print.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20setup%20file%20or%20access%20policies%20that%20will%20restrict%20file%20downloads%20and%20temporary%20files%20to%20be%20only%20saved%20to%20corporate%20OneDrive%20or%20SharePoint%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20possible%20on%20Office%20Web%20Applications%20and%20Intune%20using%20MAM.%26nbsp%3B%20Can%20this%20be%20done%20for%20Custom%20applications%20using%20MCAS%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1141476%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EData%20Protection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMCAS%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1147071%22%20slang%3D%22en-US%22%3ERe%3A%20File%20or%20Access%20policy%20to%20restrict%20file%20downloads%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1147071%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F359925%22%20target%3D%22_blank%22%3E%40JamesRV%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20only%20policies%20that%20are%20active%20in%20real%20time%20are%20access%20and%20session%20policies.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESession%20policies%20will%20give%20you%20control%20over%20download%20and%20other%20activities%20but%20it%20cannot%20redirect%20downloaded%20Files%20to%20OneDrive.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20you%20explain%20the%20goal%20of%20the%20redirection%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20it%20is%20security%20related%2C%20you%20can%20label%20the%20files%20as%20they%20are%20downloaded%20via%20information%20protection%20labels%20and%20set%20permission%20as%20to%20which%20activities%20can%20be%20performed%20on%20the%20file%20once%20it%20is%20downloaded.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20files%20are%20encrypted%20in%20the%20same%20manner%20as%20application%20protection%20in%20intune.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThx%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EShlomi%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1147844%22%20slang%3D%22en-US%22%3ERe%3A%20File%20or%20Access%20policy%20to%20restrict%20file%20downloads%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1147844%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F425203%22%20target%3D%22_blank%22%3E%40Fananico%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20the%20response.%26nbsp%3B%20The%20need%20is%3B%20Data%20Loss%20Prevention.%20Looks%20like%20automatic%20labeling%20and%20classification%20is%20the%20way%20to%20go.%26nbsp%3B%20But%20for%20some%20reason%20my%20MCAS%20is%20having%20trouble%20connecting%20with%20AIP%20and%20so%20there%20are%20NO%20labels%20showing%20up%20in%20my%20policy.%26nbsp%3B%20I%20have%20a%20ticket%20open%20to%20get%20this%20resolved.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1149055%22%20slang%3D%22en-US%22%3ERe%3A%20File%20or%20Access%20policy%20to%20restrict%20file%20downloads%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1149055%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F359925%22%20target%3D%22_blank%22%3E%40JamesRV%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20James%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Efollowed%20the%20steps%20here%20%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fazip-integration%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fazip-integration%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3Emake%20sure%20to%20click%20on%20grant%20access.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ehave%20you%20published%20the%20azure%20information%20protection%20labels%3F%3C%2FP%3E%3CP%3Edo%20they%20appear%20in%20office%20apps%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThx%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EShlomi%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1149066%22%20slang%3D%22en-US%22%3ERe%3A%20File%20or%20Access%20policy%20to%20restrict%20file%20downloads%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1149066%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F425203%22%20target%3D%22_blank%22%3E%40Fananico%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20labels%20are%20showing%20up%20on%20all%20office%20apps%20including%20admin.office.com%20BUT%20not%20on%20MCAS.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20grant%20permission%20step%20keeps%20going%20in%20a%20loop.%20Yes%20I%20am%20a%20GA%20and%20have%20logged%20in%20sessions%20in%20the%20browser%20where%20I%20am%20doing%20this.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1149099%22%20slang%3D%22en-US%22%3ERe%3A%20File%20or%20Access%20policy%20to%20restrict%20file%20downloads%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1149099%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F359925%22%20target%3D%22_blank%22%3E%40JamesRV%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3A)%3C%2Fimg%3E%20i%20just%20finished%20a%20call%20with%20microsoft%20and%20have%20the%20same%20looping%20problem%20trying%20to%20grant%20MCAS%20access%20in%20azure%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20i%20am%20able%20to%20see%20all%20the%20labels%20and%20apply%20them%20as%20governance%20actions%20to%20files...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hello,

We have multiple web applications that are built to be accessible outside of our corporate network.  Some of the important features are to be able to generate PDFs and print.

 

Is there a way to setup file or access policies that will restrict file downloads and temporary files to be only saved to corporate OneDrive or SharePoint?

 

This is possible on Office Web Applications and Intune using MAM.  Can this be done for Custom applications using MCAS?

5 Replies
Highlighted

@JamesRV 

 

Hi,

 

The only policies that are active in real time are access and session policies.

 

Session policies will give you control over download and other activities but it cannot redirect downloaded Files to OneDrive.

 

Could you explain the goal of the redirection?

 

If it is security related, you can label the files as they are downloaded via information protection labels and set permission as to which activities can be performed on the file once it is downloaded.

 

The files are encrypted in the same manner as application protection in intune.

 

Thx,

 

Shlomi 

 

 

 

 

Highlighted

@Fananico 

Thank you for the response.  The need is; Data Loss Prevention. Looks like automatic labeling and classification is the way to go.  But for some reason my MCAS is having trouble connecting with AIP and so there are NO labels showing up in my policy.  I have a ticket open to get this resolved.

 

 

Highlighted

@JamesRV 

 

Hi James,

 

followed the steps here : https://docs.microsoft.com/en-us/cloud-app-security/azip-integration 

make sure to click on grant access.

 

have you published the azure information protection labels?

do they appear in office apps?

 

Thx,

 

Shlomi

Highlighted

@Fananico

 

The labels are showing up on all office apps including admin.office.com BUT not on MCAS.

 

The grant permission step keeps going in a loop. Yes I am a GA and have logged in sessions in the browser where I am doing this.  

Highlighted

@JamesRV 

 

:) i just finished a call with microsoft and have the same looping problem trying to grant MCAS access in azure AD.

 

But i am able to see all the labels and apply them as governance actions to files...