mCAS Session Policy and the Block Download Control Type

%3CLINGO-SUB%20id%3D%22lingo-sub-663194%22%20slang%3D%22en-US%22%3EmCAS%20Session%20Policy%20and%20the%20Block%20Download%20Control%20Type%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-663194%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHello.%20I'm%20looking%20to%20better%20understand%20what%20the%20expected%20behaviour%20is%20when%20using%20Conditional%20Access%20App%20Control%20and%20a%20Session%20Policy%20to%20block%20the%20download%20of%20documents%2C%20specifically%20images.%20Currently%20I'm%20able%20to%20block%20everything%20in%20an%20OneDrive%20mCAS%20monitored%20session%20but%20for%20a%20file%20that%20pertains%20to%20an%20image%20i.e.%20GIF%2C%20TIF%2C%20JPG%2C%20PNG%20etc.%20I've%20tired%20multiple%20options%20including%20an%20explicit%20file%20filter%20(per%20image%20attached%20to%20this%20thread)%20but%20without%20any%20success.%20Whilst%20the%20mCAS%20session%20Policy%20works%20as%20expected%20for%20none%20image%20formats%2C%20such%20as%20PDF%2C%20TXT%2C%20Office%20files%20for%20example%2C%20that%20same%20can't%20be%20said%20for%20images.%20Is%20this%20by%20design%3F%20Thanks%20for%20reading%20%3A)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20674px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F116892i59F7E62B6F8FB555%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22ConitionalAccessAppControl-%20mCAS%20Policy.PNG%22%20title%3D%22ConitionalAccessAppControl-%20mCAS%20Policy.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-663194%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-671815%22%20slang%3D%22en-US%22%3ERe%3A%20mCAS%20Session%20Policy%20and%20the%20Block%20Download%20Control%20Type%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-671815%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F279884%22%20target%3D%22_blank%22%3E%40flotrig%3C%2FA%3E%2C%20thank%20you%20for%20posting.%3C%2FP%3E%0A%3CP%3EOur%20SMEs%20are%20looking%20into%20this%20topic%2C%20and%20will%20get%20back%20to%20you%20as%20soon%20as%20we%20can.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-683250%22%20slang%3D%22en-US%22%3ERe%3A%20mCAS%20Session%20Policy%20and%20the%20Block%20Download%20Control%20Type%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-683250%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F279884%22%20target%3D%22_blank%22%3E%40flotrig%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20a%20limitation%20of%20the%20proxy.%20Since%20we%20have%20to%20download%20the%20images%20of%20the%20website%20to%20render%20them%20correctly%2C%20we%20cannot%20block%20downloads%20of%20images%20without%20breaking%20the%20experience%20for%20customers.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESebastien%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-683451%22%20slang%3D%22en-US%22%3ERe%3A%20mCAS%20Session%20Policy%20and%20the%20Block%20Download%20Control%20Type%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-683451%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F143984%22%20target%3D%22_blank%22%3E%40Sebastien%20Molendijk%3C%2FA%3E%26nbsp%3BHi%20Seb%2C%20thanks%20for%20coming%20back%2C%20had%20a%26nbsp%3Bsuspicion%20this%20is%20where%20you%20might%20head.%26nbsp%3B%20Therefore%2C%20and%20for%20clarity%2C%20if%20a%20user%20renamed%20the%20file%20suffix%20of%20a%20document%20restricted%20by%20the%20current%20mCAS%20policy%2C%20perhaps%20from%20a%20.PDF%20or%20.DOCX%20to%20an%20image%20format%20such%20as%20.PNG%20they%20would%20circumvent%20the%20block%20downloads%20policy%2C%20correct%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBuilding%20on%20this%2C%20If%20I%20wanted%20to%20block%20image%20downloads%2C%20is%20there%20a%20suggested%20approach%20you%20could%20recommend%3F%20Perhaps%20Information%20Protection%20%2B%20Encryption%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%3C%2FP%3E%3CP%3EAndrew%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hello. I'm looking to better understand what the expected behaviour is when using Conditional Access App Control and a Session Policy to block the download of documents, specifically images. Currently I'm able to block everything in an OneDrive mCAS monitored session but for a file that pertains to an image i.e. GIF, TIF, JPG, PNG etc. I've tired multiple options including an explicit file filter (per image attached to this thread) but without any success. Whilst the mCAS session Policy works as expected for none image formats, such as PDF, TXT, Office files for example, that same can't be said for images. Is this by design? Thanks for reading :)

ConitionalAccessAppControl- mCAS Policy.PNG

3 Replies
Highlighted

Hi, @flotrig, thank you for posting.

Our SMEs are looking into this topic, and will get back to you as soon as we can.

Highlighted

Hi @flotrig 

 

This is a limitation of the proxy. Since we have to download the images of the website to render them correctly, we cannot block downloads of images without breaking the experience for customers.

 

Best regards,

 

Sebastien

Highlighted

@Sebastien Molendijk Hi Seb, thanks for coming back, had a suspicion this is where you might head.  Therefore, and for clarity, if a user renamed the file suffix of a document restricted by the current mCAS policy, perhaps from a .PDF or .DOCX to an image format such as .PNG they would circumvent the block downloads policy, correct? 

 

Building on this, If I wanted to block image downloads, is there a suggested approach you could recommend? Perhaps Information Protection + Encryption?

 

Best

Andrew