Microsoft Defender for Cloud Apps session policy does not work for Sesitivity Label file

Copper Contributor

we are suing Microsoft Defender For Cloud Apps with the goal of implementing controls to prevent users from downloading sensitive labelled documents to unmanaged/personal devices

To accomplish this, in MDFCA we created a Session Control policy to block these activities for test users accessing M365 via a web browser. The policy configuration is below:
- Session Control type: Control file download (with inspection)
- Activities matching all of the following:
o App equals Microsoft Online Services (and all sub-services)
o User Name equals [test users]
o Device Tag does not equal Hybrid Azure AD Joined, Valid Client Certificate
- Files matching all of the following:
o Sensitivity label equals [sensitive labels]
- Inspection method: None
- Actions: Block

1 Reply

@JasonZxd The  session policy seems to be configured to do what you are describing, but it is difficult to assess what's blocking without know more about your Conditional Access policy, directing the session to Defender for Cloud Apps. 

In case of doubt, please review this documentation: Conditional access app control - Microsoft Defender for Cloud Apps | Microsoft Learn

 

Feel free to reply to this post and tag me if you have more questions.