Skip to content

How to Block Unauthorized Downloads with Conditional Access Policies!

Are you worried about unauthorized access to your corporate data? Discover the power of conditional access policies and learn how to block unauthorized downloads to non-managed endpoints. Use Microsoft 365 to keep your data safe and secure now!

Table of Contents


The need to prevent unauthorized downloads of sensitive information has become more pressing with the rise of organized cybercrime, and the increasing number of employees working remotely and using untrusted devices. We don’t want our data floating around on unmanaged devices.

One solution to this problem is to upgrade to Microsoft 365 E5 licensing, which enables businesses to use conditional access policies to block the download of files onto unmanaged devices. As a SharePoint Administrator or Global Administrator in Microsoft 365, you can also easily block downloads of files from SharePoint sites or OneDrive, which can be set for individual sites. The latter will, however, not be covered by this post.

Although users should work on managed, compliant devices at all times, the reality is that many employees work on unmanaged devices outside the organization’s control. In these situations, Cloud App Security and Conditional Access can configure policies defining how to control browser sessions.

By implementing conditional access policies to block downloads on unmanaged devices, businesses can protect their sensitive data from unauthorized access and data loss. If you’re considering upgrading to Microsoft 365 E5 licensing, this is another reason to switch.


The Microsoft 365 Licensing plans show different options for getting Microsoft Defender for Cloud Apps. Some SKUs include the service, while others can have it as an add-on.

Use the following resources to see if you already have this, or if you can have it as an add-on to your existing SKU:

Conditional Access Policy to Block Unauthorized Downloads

Building a conditional access policy blocking the download of corporate data on unmanaged devices is the main task of addressing the challenge of securing unauthorized downloads. Follow these easy steps to build your first rule

  • Start and navigate to Security – Conditional Access
    • Alternatively: – Protect & Secure – Conditional Access
    • Alternatively: – Endpoint Security – Conditional Access
  • Add a new policy, and give it a proper descriptive name following your naming convention.
  • Assign the policy to relevant user groups before selecting the policy to cover all cloud apps.
  • As condition, you should configure filter for devices where you select to exclude devices which is compliant as shown in the following screenshot.
Device filter excluding all devices marked as compliant
  • As access control, you should add a session control type of “Use Conditional Access App Control” to block downloads.
Block Unauthorized Downloads
Downloads blocked by the use of Conditional Access App Control Session Access control.

This policy which is currently in preview will now block downloads to devices having a compliance state equal to false.

User Experience

We can now test this by signing in to the web portal from an unmanaged device using a user targeted by the policy.

When signing in to the monitored app, Conditional Access App Control uses a reverse proxy to protect data by applying access and session controls. User requests and responses will go through Defender for Cloud Apps rather than directly to the app. This will be visible in the URL now ending with As an example, the address for Outlook Web Access will be

Access Is Monitored

First time the user signs in to the service after setting the new policy, the following information will be given to the user. This message can be customized, as shown further down in this article.

Information message for monitored service

As soon as the user is signed in to the service, it will look the same as usual. The following screenshots display OneDrive, where a file upload has been performed from an unmanaged device.

File upload is ok from unmanaged device

The uploaded files will be scanned for viruses.

Download Blocked

All files and documents can be consumed in the cloud-based tools. As soon as they are attempted downloaded to an unmanaged device, our new rule will stop this.

File download to unmanaged device is blocked with informative message

This way, we are blocking the download of files to unmanaged devices. The users can still be productive in the secure portals.

Configure The User Monitoring Message

When the users are being redirected to the proxied service from Microsoft Defender for Cloud Apps, they are by default informed by this, as we saw earlier. This notification message can be configured in several ways.

  • Navigate to – More resources and open Microsoft Defender for Cloud Apps.
Open Microsoft Defender for Cloud Apps console
  • Press the Settings icon and navigate to User Monitoring found under the Conditional Access App Control portion.
Enable or disable the user monitoring message

Here we have some options to disable the message, or adopt the message to our likings. By customizing the message we get the chance to add our own texts and brandings.

Customize the user monitoring message

This can be a nice supplement to my previous article Simon does Complete Branding for your Tenant and Managed Endpoints.

Wrapping up

Conditional access policies provide a powerful solution for businesses to prevent unauthorized downloads of sensitive information. By using Microsoft 365, companies can easily block downloads of files onto unmanaged and non-compliant devices, protecting their data from cyber threats and data loss.

Implementing conditional access policies to block downloads on unmanaged devices, coupled with Cloud App Security, provides a secure environment for users to work productively.

If you have the licensing, you can take action now and implement your conditional access policies to keep your data safe and secure!

External references

Published inAzureEndpointEntraMicrosoft 365Security

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.