Welcome to the Real Time Controls blog series! This series will focus on the Real Time Controls pillar in Microsoft Cloud App Security (MCAS) and how to work through some unique use cases, workarounds and pointers when configuring your policies.
For those of you who are unfamiliar with Real Time Controls in Cloud App Security, check out our documentation located here: Deploy Cloud App Security Conditional Access App Control for Azure AD apps | Microsoft Docs. In short, MCAS uses a reverse proxy to monitor user sessions and apply controls in real time (i.e. Block downloads to an unmanaged device). Keep in mind, you can only leverage this feature set for the web versions of applications, not thick clients (one of the most frequently asked questions). If you’re interested in a blog dedicated to how to protect that scenario, please like this post!
For the first blog, I wanted to share a use case that has been popping up over the last couple of months.
Use Case: Block downloads to unmanaged devices for ExchangeOnline.
Current Behavior: When a user accesses the Outlook Web Application (OWA) and tries to preview a PDF attachment, they are blocked by MCAS. This is because in some browsers the PDF needs to be downloaded on the backend in order to preview it.
Technically, MCAS is satisfying the use case as expected. It recognizes a download, so it blocks the action. Some customers have expressed that blocking the preview inhibits users from completing daily tasks. Good news! We have found a workaround for this exact scenario.
There is a PowerShell module specifically for Exchange Online that will allow users to preview PDF but remove the download functionality so data will remain protected even if accessed from an unmanaged device.
Here are the steps:
Note: The “OwaMailboxPolicy-Default” is the default OWA policy in EXO. It is possible customers have deployed additional or created a custom OWA policy with a different name. If customers have multiple OWA policies, they may have those applied to specific users. Therefore, those would also need to be updated to have complete coverage.
After these parameters have been set, run a test on OWA with a PDF file & a session policy configured to block downloads. The “Download,” option should be removed from the dropdown and the user can preview the file.