Microsoft Defender for Cloud Apps session policy does not work for Sesitivity Label file

JasonZxd · ‎May 23 2024

we are suing Microsoft Defender For Cloud Apps with the goal of implementing controls to prevent users from downloading sensitive labelled documents to unmanaged/personal devices

To accomplish this, in MDFCA we created a Session Control policy to block these activities for test users accessing M365 via a web browser. The policy configuration is below:
- Session Control type: Control file download (with inspection)
- Activities matching all of the following:
o App equals Microsoft Online Services (and all sub-services)
o User Name equals [test users]
o Device Tag does not equal Hybrid Azure AD Joined, Valid Client Certificate
- Files matching all of the following:
o Sensitivity label equals [sensitive labels]
- Inspection method: None
- Actions: Block

Yoann_David_Mallet · ‎May 26 2024

@JasonZxd The session policy seems to be configured to do what you are describing, but it is difficult to assess what's blocking without know more about your Conditional Access policy, directing the session to Defender for Cloud Apps.

In case of doubt, please review this documentation: Conditional access app control - Microsoft Defender for Cloud Apps | Microsoft Learn

Feel free to reply to this post and tag me if you have more questions.

Products (49)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Microsoft Defender for Cloud Apps session policy does not work for Sesitivity Label file

Microsoft Defender for Cloud Apps session policy does not work for Sesitivity Label file

Re: Microsoft Defender for Cloud Apps session policy does not work for Sesitivity Label file