Microsoft Defender for cloud apps, formerly Microsoft Cloud Apps Security is the Microsoft Cloud Access Security Broker solution (CASB). We can say CASB is the intermediary in charge of monitoring and security between your end users and the different cloud services they must access, this allows you to apply policies to monitor and protect access to different cloud services such as policies to protect against data exfiltration in personal devices that you can’t manage with Intune which is what we will cover today.
Microsoft Defender for Cloud Apps (MDCA) can be used to protect organization data accessed via Software as a Service solutions in Unmanaged devices (BYOD). With MDCA, you can onboard your Microsoft 365, G suite, Drop Box, Salesforce, and other Software as a Service solutions. In our case, if we are monitoring Organisation emails in BYOD,this means that, users can access their Emails on the browser but as the administrator you can prevent downloading of email attachment or copying email content on the personal devices without the need to enroll the devices to Mobile Device Management (MDM)/ Mobile Application Management (MAM).
When a user attempts to copy or download an email attachment on their personal device (both PC and mobile phones) they will get a prompt indicating that the download action is not allowed by the organization (you can modify the notification that they receive here)
This downloading action can also be raised as an alert to the admins for further investigation. The admin will get an email of the policy violation with the details about the policy and a link to investigate further.
The user will also get an email to notify them about the policy violation and maybe some statement on what they can do next.
To implement this level of control on unmanaged devices, you first create a conditional access policy from Entra Admin center and include the cloud apps you want to monitor and protect in the policy with a Session control enabled for “Use Conditional Access Policy.”
With the conditional access policy configured, you can now configure the Conditional Access App Control that we selected before. This is done in conditional access policies section in Microsoft Defender for Cloud Apps. Navigate to security.microsoft.com and login with your admin credentials then scroll down to the Cloud Apps section on the left.
Select the Policy Management under Policies and click on Create policy to create a new policy then select Session policy.
We will use the templates provided by Microsoft here, click the dropdown in Policy template and select “Block download based on real-time content inspection.”
On the activity session, here is where we define the rule for the policy, we want to monitor and block download activities in unmanaged activities. We will therefore add a match for devices that are not Intune compliant, or Hybrid Azure AD Joined and also in our case we are targeting our Microsoft 365 environment, so we all add app and specify the app we want to monitor.
On the file matching, we have the capability to only take action on files that have specific sensitive information, trainable classifiers, sensitivity labels or take actions on all files accessed in unmonitored devices by leaving this option unselected.
In our case we want to completely block all the downloads in unmanaged devices we will leave the match option as blank and select block, allow notifications then save the policy.
