Block downloads in Microsoft 365 clients

Brass Contributor

Hi Team.

I have the following requirement:

- Block download files un Microsoft 365 clients (Microsoft Outlook and Teams).}


For Web Apps is ready.

I create Conditional Access policy for use conditional access app control and create Microsoft Defender for Cloud Apps policy for sessión control file download.

Any file in Outlook Web or Teams Web cannot download file.


But policy cannot work in clients (Microsoft Outlook client or Teams client)

How can I apply the document download block on clients?



6 Replies

@CarlosMorales session controls are only applicable for browser sessions today.  Some use cases can be accomplished on managed devices through the use of Endpoint DLP.


I need block apps in personal computers.
The user only access apps in corporate computers.
Block web apps is OK with MDCA, but I can't block access in client applications

@CarlosMorales what most customers will do in this scenario is block access to native clients on unmanaged devices using a CA policy then force traffic to browser so it can be monitored and controlled by a session policy

You have a guide or refrence URL for this configurations?
I have a CA policy. The configuration is:
Users: one user (test)
Cloud apps: Office 365
Conditions: Device platforms: any device, Client apps: mobile apps and desktop clients
Grant: block access.

Who block native clients?
best response confirmed by CarlosMorales (Brass Contributor)

@CarlosMorales you would also need to include unmanaged devices, this can be done through a device filter something like this.

Then create a separate CA policy to enable session controls for the browser based users