Teams Client and Defender for Cloud Apps

Iron Contributor

Hi Folks,

I'm evaluating the following Policy in MCAS: Block upload based on real-time content inspection

 

Here the details of the policy:

User Name equals "UPN"

App equals "Microsoft Online Services"

Filters: Extension equals *.ps1

Actions: Block

 

Everything works as expected using Microsoft Web-Based interfaces.

I'm able to bypass the above rule while using Microsoft Teams Client (fat client)

 

Any Idea/Suggestion ? :unamused:

3 Replies
Hi!
indeed, this is the way the product is designed: it can protect you for web based interfaces. For non-web clients, you have a choice between allowing them, as it is now, or blocking them completely through an Access Policy, that will block clients that are not browser based.

Hi @Yoann_David_Mallet,

 

The goal is not to whitelist/blacklist applications but rather to block the upload of certain File Types only.
Today the only possibility you have to achieve it is the use Defender for Cloud Apps (as per Microsoft statement - not mine :smile:).

However the available Apps in the Defender suite only includes "Microsoft Online Services" which is indented for web-based use and it is working fine actually (no issue with that)

 

However, Microsoft Teams client is left behind or not considered by the Defender PG.

Teams client is interacting with other workloads like SharePoint/OneDrive using the same web-based API so I'm expecting the MCAS policies to be honored in the same way.

 

 

Spoiler
From a security standpoint, I found this behavior a bit strange no ?
How can I guarantee that MCAS policies are honored also in Microsoft Teams client (fat client) ?

 

 

 

While I am not an expect with Teams, if your request is specifically for teams, i would recommend you look into the Teams DLP functionalities. Most policies do apply to both the web and thick client.