Microsoft Secure Tech Accelerator
Apr 13 2023, 07:00 AM - 12:00 PM (PDT)
Microsoft Tech Community

Protect tenant data on unmanaged devices (Copy/Paste)

Frequent Contributor

We are looking for ways to do the following:
- we want to prevent a user or guest who accesses tenant data (through browser or Office apps) from an unmanaged device to copy and paste data outside allowed apps. 


This should be done on Windows 10 and higher. 

So basically it is allowed to copy and paste from Teams to Word (with same identity) but not to notepad or Wordpad for example. 

We have been testing with access and session policies that should prevent pasting data outside allowed apps but that does not block pasting to notepad. 
Does anyone have a solution for this very challenging requirement?

2 Replies
Your scenario should be possible using Microsoft Intune, you could prevent data leakage for unmanaged devices and they have to login with credential to be able to copy and paste. Take a look at:
Also take a look at:

@Mike Platvoet, WIP is the Microsoft solution to prevent this copy/paste activity. It works by encrypting files with the EFS system and then only allowing access by "Enlightened" apps. Enlightened apps can also be restricted from copy and paste into unenlightened/unallowed apps.


Notepad is on the list of Enlightened apps. So, you'd have to remove it from the WIP policy.  Be careful with WIP, there are only a handful of Enlightened apps and so the rest of your apps won't be able to interact with company data (O365 data) unless you exempt them. However, if you exempt an app, it can do anything with company data. Also, an unenlightened app cannot switch between working with personal and company data. This makes it difficult for users who use apps for both.