Welcome to the Real Time Controls blog series! This series will focus on the Real Time Controls pillar in Microsoft Cloud App Security (MCAS) and how to work through some unique use cases, workarounds and pointers when configuring your policies.
For those of you who are unfamiliar with Real Time Controls in Cloud App Security, check out our documentation located here: Deploy Cloud App Security Conditional Access App Control for Azure AD apps | Microsoft Docs. In short, MCAS uses a reverse proxy to monitor user sessions and apply controls in real time (i.e. Block downloads to an unmanaged device). Keep in mind, you can only leverage this feature set for the web versions of applications, not thick clients (one of the most frequently asked questions). If you’re interested in a blog dedicated to how to protect that scenario, please like this post!
For the first blog, I wanted to share a use case that has been popping up over the last couple of months.
Use Case: Block downloads to unmanaged devices for ExchangeOnline.
Current Behavior: When a user accesses the Outlook Web Application (OWA) and tries to preview a PDF attachment, they are blocked by MCAS. This is because in some browsers the PDF needs to be downloaded on the backend in order to preview it.
Technically, MCAS is satisfying the use case as expected. It recognizes a download, so it blocks the action. Some customers have expressed that blocking the preview inhibits users from completing daily tasks. Good news! We have found a workaround for this exact scenario.
There is a PowerShell module specifically for Exchange Online that will allow users to preview PDF but remove the download functionality so data will remain protected even if accessed from an unmanaged device.
Here are the steps:
Note: The “OwaMailboxPolicy-Default” is the default OWA policy in EXO. It is possible customers have deployed additional or created a custom OWA policy with a different name. If customers have multiple OWA policies, they may have those applied to specific users. Therefore, those would also need to be updated to have complete coverage.
- Download the Exchange Online Powershell Module: PowerShell Gallery | ExchangeOnlineManagement 2.0.4
- After this the user will need to connect to the module (depending on the tenant here is the list of commands):
- Connect to Exchange Online PowerShell | Microsoft Docs
- Once the user has established connection to the exchange online Powershell, they will need to update two command lines
- Set-OwaMailboxPolicy (ExchangePowerShell) | Microsoft Docs:
- Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -DirectFileAccessOnPrivateComputersEnabled $false -DirectFileAccessOnPublicComputersEnabled $false
- After these parameters have been set, run a test on OWA with a PDF file & a session policy configured to block downloads. The “Download,” option should be removed from the dropdown and the user can preview the file.
- Before Powershell cmd:
After Powershell cmd:
Thanks for tuning in on the first post on Real Time Controls. Look out for these steps in the Troubleshooting guide (https://docs.microsoft.com/en-us/cloud-app-security/troubleshooting-proxy). If there are any scenarios you’re curious in seeing, please leave a comment below.
Let us know if you have any feedback or relevant use cases/requirements for this portion of Microsoft Cloud App Security by emailing CASFeedback@microsoft.com and mentioning the core area of concern.
For further information on how your organization can benefit from Microsoft Cloud App Security, connect with us at the links below:
To experience the benefits of full-featured CASB, sign up for a free trial—Microsoft Cloud App Security.
Follow us on LinkedIn as #CloudAppSecurity. To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity on Twitter and Microsoft Security on LinkedIn for the latest news and updates on cybersecurity.