Configure policy for block download files


Hi Team.

I have requirement, for all Information Protection users for block download files with specific label.


I have Microsoft Information Protection deployment with several labels. I need that emails with specific label, block download files using Microsoft Outlook client.


I have performed the following configurations:

Policy in Conditional Access for Session - Use Conditional Access App Control.

In Microsoft Defender for Cloud Apps - create policy for session.



When send email with attach file with MIP label - Recipient open email in Outlook Web - not permit download files (policy perfect working), but, this policy not working for Outlook client.



In MDCApps:

Apps scope - Office 365 (not include Outlook client)

Users scope: only internal users.


Two questions:

How can i integrate Outlook client in this policy?

How can I integrate external users in this policy?



1 Reply

Question 1, "How can i integrate Outlook client in this policy?" - I believe you can't, not with the same session policy at any rate. See the note in section 6 of this doc which says:
"Session policies don't support mobile and desktop apps. Mobile apps and desktop apps can also be blocked or allowed by creating an access policy."
Question 2 - "How can I integrate external users in this policy?" Can you clarify what an external user is? Someone who does/does not have a guest account in your AAD?