Apr 15 2020 08:49 AM - edited Apr 15 2020 08:53 AM
Hello,
Is there a way to block data exfiltration (e.g. block download) to Windows 10 Microsoft Teams application (not the web version) in a real time protection manner? Since Intune MAM policies cannot be configured for Windows 10 the only option would be WIP?
Thank you,
George
Apr 17 2020 07:11 AM
Hello,
You can block downloads in SharePoint Online and Ondrive ,
-Conditional Access Policy
Control access from unmanaged devices:
Microsoft recommends you protect content in SharePoint sites with sensitive and highly-regulated content with device access controls. You do this by creating a policy that specifies the level of protection and the sites to apply the protection to.
See "Block or limit access to specific SharePoint site collections or OneDrive accounts" in this article: Control access from unmanaged devices.
Apr 18 2020 10:48 AM
Great answer. Also worth pointing out that Conditional Access requires a minimum of Azure AD Premium P1 licence, and to use session controls you will also need to be licensed for Cloud App Security.
Apr 20 2020 11:51 AM
MCAS cannot enforce session policies on desktop/native apps. Session policies and controls (including block downloads) are limited to browser sessions only. This is documented at: https://docs.microsoft.com/en-us/cloud-app-security/session-policy-aad
For native/desktop apps, MCAS can allow or block access completely using a CAS Access policy but this does not allow granular control over activities.
A typical implementation in a scenario where one wants to limit downloading of files for users on non-compliant or non-hybrid joined machines, is to have a CA policy in AAD conditional access to forward sessions to CAS (using the 'use custom policy' option) and a CAS access policy to block desktop/native apps (and force users to web-apps) and a CAS session policy to block/control downloads in these web-app sessions.
Sep 08 2020 01:24 PM
Hi @rajatm , In your suggestion below can you explain how i create an CAS policy to block native apps and force users to use the Web app "CAS access policy to block desktop/native apps (and force users to web-apps) and a CAS session policy to block/control downloads in these web-app sessions."
I have an access control policy for native client as follows:
ACCESS POLICY
Device+ tag+ does not equal =Intune Compliant , Hybrid Compliant.
App=Microsoft teams
User Agent tag =Native Client
USer +NAme = (User)
Session Policy
- Control file downloads with Inspection
app=Microsoft teams
USer +Name =(User)
Device+tag=HybridAzure Ad joined,Intune compliant
cant seem to get users on a Non Supported device be stopped from downloading files from teams.
Sep 08 2020 01:31 PM - edited Sep 08 2020 01:33 PM
hello @gd2020 , you should add a 'client app' == 'Mobile or desktop' filter to the access policy. without this filter, access policies only apply to browsers. this is documented at: https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad#access-controls . this access policy should then block users from being able to sign-in to the Teams desktop app.