MCAS Data Protection Blog Series: Box Real-Time Protections
Published Nov 30 2020 09:35 PM 4,814 Views

November 2020


Protect Box (Part 2: Real-Time Data Protection)


Hi everyone!


Welcome to the second blog of MCAS Data Protection Blog Series! If this is your first time seeing this blog, check out my landing page for some more information about me and what I’ll be covering! This blog series is also a part of our newly published MCAS Ninja Training (check it out at!


Within this article, I’ll be discussing a few different ways we can use real time session controls to protect Box based on common customer scenarios.


Before we get started, please ensure you have the following perquisites in place.


  • User has configured Box with AAD for use in Conditional Access App Control.

Connected Apps.PNG

  • Azure Information Protection integration is enabled.

AIP Configuration.PNG


There are two ways to protect Box using MCAS.


  • Near real-time (NRT) protection that’s configured through File Policies and manual file governance; this uses the Box app connector.
  • Real-time data protection using Conditional Access App Control.


For this article (Part 2), we are covering real-time data protection mechanisms.


Landing Page.PNG

Alright, lets go ahead and start with use case number 1: applying an Azure Information Protection (AIP) label (Sensitivity Labels work too, if you’ve already migrated to Unified Labeling) to downloads or, preventing downloads of labeled files.


When you are using real-time session controls, it is important to note that you can prevent uploads and downloads for files that do not have Azure Information Protection labels as well as block downloads for files that have those labels. For first example, we are going to prevent a download of a file that has sensitive information. The sensitive information types can be blocked using a custom information type or be one of the built-in information types that integrate once the Azure Information Protection integration is enabled.  


Here are the configurations for 3 block policies.


The screenshot below shows the configurations to block downloads of any files that have credit card information in Box from unmanaged devices.


Block Download CC Info.png



The screenshot below blocks downloads of any files that have the label Confidential applied from unmanaged devices.


AIP Label Block Download.png



The screenshot below applies an AIP label to every file from Box downloaded from unmanaged devices.


apply label.png

These are great policies for organizations aiming to prevent files from being downloaded on unmanaged devices or have protection if those files do need to have labels be applied.


NOTE: Real-time session controls are only for browser-based session controls. This will not work for thick clients. You can use access control policies to prevent access to the thick client and force a reroute to a browser-based session. 


NOTE: You cannot apply AIP labels to uploads using real-time session controls in the browser-based sessions. AIP labels can only be applied during downloads for real-time session controls.


This scenario poses a unique situation.


Customer ask: If we have a policy that blocks downloads of credit card numbers and a policy that applies AIP labels to all downloads, which policy takes precedence?


Answer: The blocking of downloads gets precedence as it is the stronger action. Yes, you are able to have both policies in place.


Now, lets discuss our next example. The MCAS CxE team is often asked about extension types.


Customer ask: Are we able to prevent the upload or download of certain extension types?


Answer: Yes. In addition, you are also able to create a policy where you’re notified of a specific extension type being uploaded or downloaded. This is particularly important for our customers who are in the financial industry. There are specific types of files that they do not want uploaded into the shared Box sites and therefore, they find great value in being able to prevent the uploads and/or downloads of those files.


In the screenshot below, whenever a user downloads .txt files from Box, it’ll be blocked. Similarly, if you chose to monitor all activities, you’ll be able to see whenever that file type is downloaded.


Block extensions.png


In the last example, we’ll discuss malware detection.


Customer ask: We already use Malware Detection policies with Box from our API connectors. Why do we need to use the Malware real-time session controls?


Answer: The API connection malware configuration is great for going through already existing files. The real-time malware detection stops it at the source, rather than pushing forward potential vulnerabilities into box. Also, the API connection uses near real-time mechanisms. With our session policies, you don’t have to wait to have the malware detection pick up malicious files.




There you have it! A few use cases of MCAS data protection with Box real-time session controls. Let me know if you have any feedback. What other scenarios would you like me to cover? Feel free to comment below!


1 Comment
Version history
Last update:
‎Nov 02 2021 04:47 PM
Updated by: