Are you worried about unauthorized access to your corporate data? Discover the power of conditional access policies and learn how to block unauthorized downloads to non-managed endpoints. Use Microsoft 365 to keep your data safe and secure now!
Table of Contents
Background
The need to prevent unauthorized downloads of sensitive information has become more pressing with the rise of organized cybercrime, and the increasing number of employees working remotely and using untrusted devices. We don’t want our data floating around on unmanaged devices.
One solution to this problem is to upgrade to Microsoft 365 E5 licensing, which enables businesses to use conditional access policies to block the download of files onto unmanaged devices. As a SharePoint Administrator or Global Administrator in Microsoft 365, you can also easily block downloads of files from SharePoint sites or OneDrive, which can be set for individual sites. The latter will, however, not be covered by this post.
Although users should work on managed, compliant devices at all times, the reality is that many employees work on unmanaged devices outside the organization’s control. In these situations, Cloud App Security and Conditional Access can configure policies defining how to control browser sessions.
By implementing conditional access policies to block downloads on unmanaged devices, businesses can protect their sensitive data from unauthorized access and data loss. If you’re considering upgrading to Microsoft 365 E5 licensing, this is another reason to switch.
Requirements
The Microsoft 365 Licensing plans show different options for getting Microsoft Defender for Cloud Apps. Some SKUs include the service, while others can have it as an add-on.
Use the following resources to see if you already have this, or if you can have it as an add-on to your existing SKU:
Conditional Access Policy to Block Unauthorized Downloads
Building a conditional access policy blocking the download of corporate data on unmanaged devices is the main task of addressing the challenge of securing unauthorized downloads. Follow these easy steps to build your first rule
- Start portal.azure.com and navigate to Security – Conditional Access
- Alternatively: entra.microsoft.com – Protect & Secure – Conditional Access
- Alternatively: intune.microsoft.com – Endpoint Security – Conditional Access
- Add a new policy, and give it a proper descriptive name following your naming convention.
- Assign the policy to relevant user groups before selecting the policy to cover all cloud apps.
- As condition, you should configure filter for devices where you select to exclude devices which is compliant as shown in the following screenshot.

- As access control, you should add a session control type of “Use Conditional Access App Control” to block downloads.

This policy which is currently in preview will now block downloads to devices having a compliance state equal to false.
User Experience
We can now test this by signing in to the web portal from an unmanaged device using a user targeted by the policy.
When signing in to the monitored app, Conditional Access App Control uses a reverse proxy to protect data by applying access and session controls. User requests and responses will go through Defender for Cloud Apps rather than directly to the app. This will be visible in the URL now ending with mcas.ms. As an example, the address for Outlook Web Access will be https://outlook.office.com.mcas.ms
Access Is Monitored
First time the user signs in to the service after setting the new policy, the following information will be given to the user. This message can be customized, as shown further down in this article.

As soon as the user is signed in to the service, it will look the same as usual. The following screenshots display OneDrive, where a file upload has been performed from an unmanaged device.

The uploaded files will be scanned for viruses.
Download Blocked
All files and documents can be consumed in the cloud-based tools. As soon as they are attempted downloaded to an unmanaged device, our new rule will stop this.

This way, we are blocking the download of files to unmanaged devices. The users can still be productive in the secure portals.
Configure The User Monitoring Message
When the users are being redirected to the proxied service from Microsoft Defender for Cloud Apps, they are by default informed by this, as we saw earlier. This notification message can be configured in several ways.
- Navigate to security.microsoft.com – More resources and open Microsoft Defender for Cloud Apps.

- Press the Settings icon and navigate to User Monitoring found under the Conditional Access App Control portion.

Here we have some options to disable the message, or adopt the message to our likings. By customizing the message we get the chance to add our own texts and brandings.

This can be a nice supplement to my previous article Simon does Complete Branding for your Tenant and Managed Endpoints.
Wrapping up
Conditional access policies provide a powerful solution for businesses to prevent unauthorized downloads of sensitive information. By using Microsoft 365, companies can easily block downloads of files onto unmanaged and non-compliant devices, protecting their data from cyber threats and data loss.
Implementing conditional access policies to block downloads on unmanaged devices, coupled with Cloud App Security, provides a secure environment for users to work productively.
If you have the licensing, you can take action now and implement your conditional access policies to keep your data safe and secure!
Be First to Comment