Configure policy for block download files

Brass Contributor

Hi Team.

I have requirement, for all Information Protection users for block download files with specific label.

 

I have Microsoft Information Protection deployment with several labels. I need that emails with specific label, block download files using Microsoft Outlook client.

 

I have performed the following configurations:

Policy in Conditional Access for Session - Use Conditional Access App Control.

In Microsoft Defender for Cloud Apps - create policy for session.

 

Test:

When send email with attach file with MIP label - Recipient open email in Outlook Web - not permit download files (policy perfect working), but, this policy not working for Outlook client.

 

Comments:

In MDCApps:

Apps scope - Office 365 (not include Outlook client)

Users scope: only internal users.

 

Two questions:

How can i integrate Outlook client in this policy?

How can I integrate external users in this policy?

 

Thanks,

1 Reply
Hi,

Question 1, "How can i integrate Outlook client in this policy?" - I believe you can't, not with the same session policy at any rate. See the note in section 6 of this doc https://docs.microsoft.com/en-us/defender-cloud-apps/session-policy-aad#create-a-defender-for-cloud-... which says:
"Session policies don't support mobile and desktop apps. Mobile apps and desktop apps can also be blocked or allowed by creating an access policy."
Question 2 - "How can I integrate external users in this policy?" Can you clarify what an external user is? Someone who does/does not have a guest account in your AAD?