In today's increasingly online and hybrid work environment, facilitating seamless work from any location and device is crucial, especially with the growing necessity to share data externally for enhanced collaboration. On the other hand, protecting your organization's data and resources remains important. Additionally, the rising reliance on web browsers for enterprise tasks introduces new security challenges that require careful attention to keep data and apps secure.
To address these needs effectively, it is vital to provide centralized yet flexible solutions that empower users to control how their organization's data is accessed, balancing protection with productivity. We are excited to deliver a new way to manage secure session access for SaaS apps. Microsoft Defender for Cloud Apps now provides new in-browser protection capabilities via Microsoft Edge to enable security teams to seamlessly manage how a user can interact with in-app data based on their risk profile. The in-browser protection removes the need for proxies, improving both security and productivity, based on session policies that are applied directly to the browser.
Depending on the risk associated with the user, such as when they are logging in from an unmanaged device, admins can restrict app access or create granular policies that prevent downloads, uploads, copying, cutting, or printing actions during a session. More importantly, protected users enjoy a smooth experience when using cloud apps without any impact on their productivity — through native integration with Edge, there are no latency or app compatibility issues, providing more flexibility in protecting your valuable data across SaaS apps.
Protect data across SaaS apps directly within Edge for Business
Microsoft Defender for Cloud Apps now enables session policies to protect data in motion within the Edge for Business browser as it traverses trust boundaries with detailed visibility into cloud app usage with real-time, session-level monitoring. This functionality is crucial for protecting data from SaaS apps such as SharePoint, Box, or Dropbox as it moves to managed or unmanaged devices within an organization.
Session policies can be configured within the Microsoft Defender portal. Security admins can follow these steps to create a new session policy:
- After you have created a conditional access policy that applies Defender for Cloud Apps session control, navigate to Cloud Apps -> Policies -> Policy management in the Microsoft Defender portal. Then select the Conditional access tab.
- Click on Create policy and select Session policy.
- In the Session policy window, assign a name for your policy, such as Block Download of Sensitive Documents in Box for Marketing Users.
- Under the Session control type field, choose from the following options:
- Select Monitor only if you only want to monitor activities by users. This selection creates a Monitor only policy for the apps you selected were all sign-ins.
- Select Control file download (with inspection) if you want to monitor user activities. You can take more actions like block or protect downloads for users.
- Select Block activities to block specific activities, which you can select using the Activity type filter.
Seamless experience for both end users and admins
The integration of Defender for Cloud Apps with Edge for Business delivers smooth and fast experience for both end users and admins, leveraging robust security controls from an enterprise-grade browser while streamlining workflows. The deployment is seamless for the users as this functionality is natively built into the Edge browser installed by default on the users’ Windows PC.
Once the admin establishes session policies, these policies are directly applied to browser. For instance, admins can create session policies based on user risk profiles to prevent actions such as downloads, uploads, copying, cutting, or printing files. Specifically, when a user attempts to download a file containing sensitive credit card information from a SharePoint site via the Edge for Business browser, Defender for Cloud Apps will enforce the session policy to block this action. These restrictions are implemented seamlessly for users without affecting their productivity.
Additionally, for admins, the experience is equally seamless, requiring no additional configurations as it automatically utilizes the built-in controls of Edge for Business. If you are already using session policies today, there is no need to define new ones. The integration will work seamlessly and continue to serve 3rd party browsers through proxy while automatically using Edge after a user is signed into the work profile.
Users can identify that they're using in-browser protection in Microsoft Edge for Business by the additional "lock" icon in the browser address bar as shown in the example below, indicating protection by Defender for Cloud Apps. Unlike standard conditional access app control, the .mcas.ms suffix does not appear in the browser address bar with in-browser protection, indicating that the Edge for Business browser is implementing security measures directly on the user's device, which can provide reduced latency, tighter control, and better security.
The seamless integration of Microsoft Defender for Cloud Apps with an enterprise-grade browser ensures a safer, latency-free experience for end users. Simultaneously, security admins can effortlessly manage in-app access to SaaS applications and control user interactions with in-app data based on individual risk profiles. This integration strikes a crucial balance between protection and productivity in today's dynamic workplace.
Learn more:
- Read our documentation to get started with in-browser protection
- Explore session policy in Defender for Cloud Apps documentation