Forum Discussion

JasonZxd's avatar
JasonZxd
Copper Contributor
May 23, 2024

Microsoft Defender for Cloud Apps session policy does not work for Sesitivity Label file

we are suing Microsoft Defender For Cloud Apps with the goal of implementing controls to prevent users from downloading sensitive labelled documents to unmanaged/personal devices

To accomplish this, in MDFCA we created a Session Control policy to block these activities for test users accessing M365 via a web browser. The policy configuration is below:
- Session Control type: Control file download (with inspection)
- Activities matching all of the following:
o App equals Microsoft Online Services (and all sub-services)
o User Name equals [test users]
o Device Tag does not equal Hybrid Azure AD Joined, Valid Client Certificate
- Files matching all of the following:
o Sensitivity label equals [sensitive labels]
- Inspection method: None
- Actions: Block

Resources