Currently a lot of users are working from home during the corona virus but what about security? We can follow up the logs of specific users in cloud app security or you can create custom alerting but what if you’re working in an organization with more than 1000 users?
This blog describes how to restrict downloads on a personal device when you are also using Microsoft Intune or your devices are Hybrid Azure AD joined. This prevents data loss when a user leaves the company.
Browse to your azure active directory environment and create a new conditional access policy:
Give your policy a new name and assign your policy towards everyone in the organization, a specific group or specific users. You can also assign your policy towards specific roles (Global admins, security admins, etc.) or assign it towards guest users. I assigned the policy only towards my account.
Assign the policy to 1, more applications or towards all applications.
You can choose to apply the policy if the sign-in risk is high of if the user is using a specific OS. To apply the policy only to personal devices you need to exclude Hybrid Azure AD joined devices or devices that are compliant in Microsoft Endpoint Manager. Note: if you select “Devices needs to be compliant” a device needs be compliant in Microsoft Endpoint Manager (meet the compliance policies)
In my case I’ve selected both options in the exclusion list which means if a device is Hybrid Azure AD joined or Compliant in Intune, it’s excluded from the policy
I’ve granted access towards the applications without any extra conditions
This is the most important part, using Session we can use Conditional Access App Control to block the download of files. You can also use your own created custom policy.
End user experience?
When surfing towards outlook.office365.com you will receive following screen to notice users that the sessions are monitored. You receive this screen from CAS. Please note that the URL changes towards the CAS URL
When downloading a file from a personal device (not Hybrid Azure AD joined or not compliant in Intune) users will receive a pop-up to restrict download