Sep 14 2022 10:30 AM - edited Sep 14 2022 10:31 AM
Hi All,
I have tested the scenario, Block download using custom session based conditional access policy in Cloud Apps. However, I was wondering whether we can enforce MFA when user download sensitive documents rather than blocking the download.
I would appreciate the help!
Thanks in advance,
Dilan
Sep 14 2022 10:39 AM
SolutionSep 14 2022 11:18 AM
Hi @dilanmic,
As @VasilMichev mentioned this is possible using authentication context. The site would need to have a label and within Defender for Cloud Apps you would specify "require step-up authentication"
It's the same concept described in this article (the action is just different).
Protect sensitive SharePoint sites with Defender for Cloud Apps - Microsoft Tech Community
Sep 14 2022 12:17 PM
Like @VasilMichev and @Keith_Fleming said, authentication context can help here, as long you are using Azure AD Conditional Access to send the user session for Defender for Cloud apps.
One minor observation:
Although you can do this at the SPO site level, you don't need to. You can invoke re-authentication via authentication context as an action of file inspection.
In other words, after you configure Azure AD authentication context polices to require MFA, you can change the action on your session police from "Block" to "Require step-up authentication" and map to the policy you created in Azure AD.
The only caveat is that if the user has already performed MFA before, granted that everything remains the same, (user in good state/same device/browser) the MFA prompt will be satisfied silently by cached token in the computer/browser.
Sep 14 2022 01:14 PM
@Doug_San I'm sorry but I don't understand your post here. The whole idea of step-up authentication is that you'd like to force another MFA prompt even though you have a valid claim. Please elaborate 🙂
Sep 14 2022 06:29 PM
Sep 14 2022 10:39 AM
Solution