I wish to block upload of documents to Other Office 365 tenant on a managed device? Can this be achieved using MCAS

In that scenario, you use a conditional access policy that states the device must be compliant to authenticate. The user would need a device for each tenant.Again this now fixes this one very specific issue.I think we need clearer definition of what the intended outcomes are. I agree, there are many scenarios, without knowing more, I don't believe we can provide an answer.

Is it a specific M365 tenant you want to block uploads to, or any/all other tenants? And do you want to block uploads to other M365 tenants but allow uploads to other services, or block all uploads?

We want to block upload to all other office 365 instance apart from the one we own.

Hi krishnasembee Do you mean sharing documents with other tenants? because upload means they already have access to those tenants as guests maybe and the other tenants should take the action from their sides not yours. If you're talking about sharing files with another domains/tenant, as i know you can get prevent that using a File Policy in MCASAlso you can use entire organization instead of Any Any from domain. Cheers,

I think the issue with that file policy is that you have to specify the domain you’re wanting to block. That would not be possible if you’re wanting to block a domain that’s M365 registered.My feeling is, the easiest solution would in fact be to encrypt data and have less focus on where the data is going.You could also use a simple conditional access policy to block auth from unmanaged devices or only allow with from trusted locations. This means even a user in the source tenant can’t take the data away from a managed device and access it - their auth would be blocked by the conditional access policy.Ultimately, there are a number of ways of preventing data being accessed outside the source tenant. I don’t believe blocking upload to “any M365 tenant” is a realistic option.Encryption covers many vectors. Upload to any M365 tenant doesn’t even cover all vectors and would be hard / impossible to manage.

Block upload of documents to other office 365 tenant

Darren_Bennett
Copper Contributor
Jul 29, 2021
Is it a specific M365 tenant you want to block uploads to, or any/all other tenants? And do you want to block uploads to other M365 tenants but allow uploads to other services, or block all uploads?
- krishnasembee
  Copper Contributor
  Jul 30, 2021
  We want to block upload to all other office 365 instance apart from the one we own.
MZyarah
Brass Contributor
Jul 30, 2021
Hi krishnasembee

Do you mean sharing documents with other tenants? because upload means they already have access to those tenants as guests maybe and the other tenants should take the action from their sides not yours.

If you're talking about sharing files with another domains/tenant, as i know you can get prevent that using a File Policy in MCAS
Also you can use entire organization instead of Any Any from domain.

Cheers,
- Darren_Bennett
  Copper Contributor
  Jul 30, 2021
  I think the issue with that file policy is that you have to specify the domain you’re wanting to block. That would not be possible if you’re wanting to block a domain that’s M365 registered.
  
  My feeling is, the easiest solution would in fact be to encrypt data and have less focus on where the data is going.
  
  You could also use a simple conditional access policy to block auth from unmanaged devices or only allow with from trusted locations. This means even a user in the source tenant can’t take the data away from a managed device and access it - their auth would be blocked by the conditional access policy.
  
  Ultimately, there are a number of ways of preventing data being accessed outside the source tenant. I don’t believe blocking upload to “any M365 tenant” is a realistic option.
  
  Encryption covers many vectors. Upload to any M365 tenant doesn’t even cover all vectors and would be hard / impossible to manage.
  - Darren_Bennett
    Copper Contributor
    Jul 30, 2021
    To be clear. You’d have to list every M365 registered domain in the file policy. That would be millions of domains. I don’t think the policy supports that many domains, and I don’t know how you could possibly ascertain a list of all domains that are M365 registered even if it does support that many domains.
- krishnasembee
  Copper Contributor
  Jul 30, 2021
  Hello,
  
  I am not talking about sharing or collaborating here, I am talking about upload.
  
  on my corporate device, i can log in to any office 365 tenant and upload documents of my tenant, i want to restrict to only single tenant
  - MZyarah
    Brass Contributor
    Jul 30, 2021
    krishnasembee
    This is not even related to uploading or sharing files, if you don't want your corporate devices access to other tenants you need to use Azure AD tenant restrictions, take a look here.
    
    I hope this will be helpful.

Forum Discussion

Block upload of documents to other office 365 tenant

Share

Resources