mCAS Session Policy and the Block Download Control Type

Copper Contributor

Hello. I'm looking to better understand what the expected behaviour is when using Conditional Access App Control and a Session Policy to block the download of documents, specifically images. Currently I'm able to block everything in an OneDrive mCAS monitored session but for a file that pertains to an image i.e. GIF, TIF, JPG, PNG etc. I've tired multiple options including an explicit file filter (per image attached to this thread) but without any success. Whilst the mCAS session Policy works as expected for none image formats, such as PDF, TXT, Office files for example, that same can't be said for images. Is this by design? Thanks for reading :)

ConitionalAccessAppControl- mCAS Policy.PNG

6 Replies

Hi, @flotrig, thank you for posting.

Our SMEs are looking into this topic, and will get back to you as soon as we can.

Hi @flotrig 


This is a limitation of the proxy. Since we have to download the images of the website to render them correctly, we cannot block downloads of images without breaking the experience for customers.


Best regards,



@Sebastien Molendijk Hi Seb, thanks for coming back, had a suspicion this is where you might head.  Therefore, and for clarity, if a user renamed the file suffix of a document restricted by the current mCAS policy, perhaps from a .PDF or .DOCX to an image format such as .PNG they would circumvent the block downloads policy, correct? 


Building on this, If I wanted to block image downloads, is there a suggested approach you could recommend? Perhaps Information Protection + Encryption?




@flotrig@Sebastien Molendijk, a year later, still the same behavior. Your question, @flotrig, is still relevant. Did you receive an answer or found out how to circumvent this issue? 

@BorisBerkelaar this feature is currently in private preview and should be available to everyone pretty soon.




@Sebastien Molendijk - any news when this will be moving from private to public preview?