SOLVED

Enforce MFA when user download sensitive document

Iron Contributor

Hi All,

 

I have tested the scenario, Block download using custom session based conditional access policy in Cloud Apps. However, I was wondering whether we can enforce MFA when user download sensitive documents rather than blocking the download.

 

I would appreciate the help!

 

Thanks in advance,

Dilan

5 Replies
best response confirmed by dilanmic (Iron Contributor)
Solution
You can configure it on the Site level via auth context: https://office365itpros.com/2021/06/10/azure-ad-authentication-context-sensitivity-labels/
At the moment, you cannot use it for individual labeled files. The other option is to target AIP as a cloud app via Conditional access policy, but that is even broader than doing it per-site.

Hi @dilanmic,

 

As @VasilMichev  mentioned this is possible using authentication context.  The site would need to have a label and within Defender for Cloud Apps you would specify "require step-up authentication"

 

Keith_Fleming_0-1663179429682.png

 

It's the same concept described in this article (the action is just different).

Protect sensitive SharePoint sites with Defender for Cloud Apps - Microsoft Tech Community

Like @VasilMichev and @Keith_Fleming said, authentication context can help here, as long you are using Azure AD Conditional Access to send the user session for Defender for Cloud apps.
One minor observation:
Although you can do this at the SPO site level, you don't need to. You can invoke re-authentication via authentication context as an action of file inspection. 
In other words, after you configure Azure AD authentication context polices to require MFA, you can change the action on your session police from "Block" to "Require step-up authentication" and map to the policy you created in Azure AD.

The only caveat is that if the user has already performed MFA before, granted that everything remains the same, (user in good state/same device/browser) the MFA prompt will be satisfied silently by cached token in the computer/browser.

@Doug_San I'm sorry but I don't understand your post here. The whole idea of step-up authentication is that you'd like to force another MFA prompt even though you have a valid claim. Please elaborate 🙂

Thank you all for the explanations and value comments. this is actually one of my clients requiement.
1 best response

Accepted Solutions
best response confirmed by dilanmic (Iron Contributor)
Solution
You can configure it on the Site level via auth context: https://office365itpros.com/2021/06/10/azure-ad-authentication-context-sensitivity-labels/
At the moment, you cannot use it for individual labeled files. The other option is to target AIP as a cloud app via Conditional access policy, but that is even broader than doing it per-site.

View solution in original post