Using Microsoft Defender for Cloud Apps to limit file downloads to managed devices
Recently I’ve been doing a lot of work to secure Microsoft 365 tenants and the data stored within them. To that end, I have been doing a bit of work with Microsoft defender for Cloud Apps, and the protections it provides.
With the end of the 2020 pandemic insight (maybe?), people are returning to offices around the world. That being said, we can expect that “the new normal” will include a lot of people either working hybrid office schedules or in permanent work-from-home roles. These changing workplace landscapes mean that organizations need to be more careful about managing the data stored in their Microsoft 365 tenants.
Protecting your tenant against malware infections and data being left unencrypted on personal devices means that you need to ensure that your data is only available on devices that meet minimum security configurations.
In this blog post, I am going to walk through the configurations necessary for limiting file downloads from Microsoft 365 to managed devices via Microsoft Defender for Cloud Apps (DCA).
Configuration
We are going to skip over any Endpoint Management configuration here. I’m assuming you already have your devices enrolled in Endpoint Manager and go from there.
We’re going to do our work in DCA, so navigate to the DCA Portal.
Here we need to create a new session policy.
Figure 1 – New session policy
Session policies apply to browser-based applications. That well handles SharePoint, and other 3rd party browser-based apps like Salesforce if you setup those applications to be protected by DCA. This policy will not have any affect on file downloads in Teams phat client or the OneDrive for Business phat client. We’ll address those situations later.
Next you need to name your new policy, assign a severity, category, and write a good description. For the Session control type, select “Control file download (with inspection).”
Figure 2 – Policy details
Moving down to the next section of the policy, here we can define where this policy applies. The most important filter is the device filter, then you need a filter to define to which app(s) this policy will apply and for which users.
Figure 3 – Policy filters
The device filter is set to Intune compliant (Microsoft can’t keep up with the name changes themselves, how are we expected to?) and Hybrid Azure AD joined. For apps, I selected Microsoft Online Services (you can add others if they are discovered by DCA), and I set this policy to apply just to my account (always test out new policies on a limited set of accounts).
The next section is for file filters. I have left this blank to apply to all files, but you can limit it to specific files by extension, file name, file size, or sensitivity label.
After the file filters, you can select the inspection method. The options are built-in DLP, data classification service, or malware detection. I left this selection blank.
The next section is the Actions this policy can take against a match.
Figure 4 – Policy Actions
I’d recommend testing the policy first in monitor mode, but I have set my policy action to block (I limited it to one account). Choosing the “Protect” radio button will allow the download but apply sensitivity label selected (which can include encryption). Require step-up authentication can trigger new authentication requirements before the user downloads the file(s), but again I am setting this policy up to block downloads to unmanaged devices.
The final section of the policy is for alerts.
Figure 5 – Policy alerts
Nothing too complex here, so set the alerts to whatever works for you.
Before I save this file, there is a warning box at the bottom.
Figure 6 – Policy alert
As stated above, this policy will only apply to browser-based applications. We’ll need a second policy to control file downloads from phat clients, but that is going to have to wait for another blog post.
Important caveat
Before we move on to a policy for phat clients, there is an important caveat we must talk about.
After putting this policy in place, I did some testing. I tested this on three different laptops and got a rather surprising result.
First, I tested on a managed laptop that is enrolled in Intune and Azure AD joined to my tenant. Everything worked as expected.
Next, I tested on a laptop that is not managed. Worked as expected and I could not download files.
Finally, I tested on my work laptop. This laptop is enrolled in Intune and managed by the company I work for, but not my tenant. It seems this policy doesn’t care WHO manages the device, just that the device is managed by somebodies Intune.
This means that if I wanted to download a bunch of files from my employer’s tenant (and they set this up), all I would need to do is log on to my laptop that is managed on my tenant, and I could download all of their files I wanted.
Always remember that none of these protections are fool proof. They are good for keeping honest users honest, but they are not necessarily going to keep the bad guys out by themselves. That takes a much larger overall effort.