It’s been fairly easy to restrict access to Office 365 on Android and iOS using Conditional Access, but restricting other devices has been a bit hit and miss, with Windows WIP being easy to circumvent and few controls for Mac.
With Cloud App Security you can now fully control access and restrict users on unknown devices.
Example Scenario
Users on Managed devices (Hybrid Azure Joined or Intune Managed devices will have full access.
Users on Unmanaged / Unknown devices can only access Office Apps through a browser, downloads will be blocked, additionally Cut copy Paste and Print will be blocked.
This is a typical scenario where an organisation wants to stop the loss of data where they have staff who leave with corporate data on their home devices.
How it works
The components for this are Conditional Access and Cloud App Security
Conditional Access
Microsoft has a good description of this which is basically if this happens do the following, as a user attempts to connect to a cloud app i.e Exchange online or Sharepoint conditional Access assesses the device state and sends the users session to either Cloud App security to control the session or on to the App with no restrictions.
Cloud App security
How to
Restricted Browser Access to Office365
- Go to https://portal.cloudappsecurity.com.
- Click Policies
3. Under Create Policy — Choose Session Policy (Browser access is regarded as a session)
4. Choose a name for your policy
5. Under Session Control Type choose Choose Control file download download with DLP
Now the policy is setup and ready, you’ll notice there isnt any change at the moment, this is because Cloud App Security relies on Conditional Access to send devices that are trying to Access Clouds apps onto Cloud App Securty.
Conditonal Access settings
Settings the Conditonal access setiings will send the session to Cloud App Security if it meets certain conditions i.e is an unmanaged computer.
1. Select your users you want to be assessed by the policy
2. Select the cloud apps you want to restrict access to in this case Office 365 exchange you could also choose sharepoint
(I’d advise you repeat this conditional access policy with another with the same settings except in the new policy you put Sharepoint as the Cloud App, this way you can turn on and off policies separately as per users needs you can then scope the policy to a group for each app)
3. For Device types I have chosen All Devices this way even the MAM controlled Phone devices I have will be restricted if using a browser
4. For locations I have chosen any location
5. In device state Choose to Exclude Hybrid Join and compliant devices
6. In Session use Conditional Access App Control use custom Policy
Save you policy
Optional additional Block Copy Paste from unmanaged devices
- Create another Session policy in Policies and choose block Copy Paste option
2. Optionally (advised) add if user in Group option this way you can make a group just for this copy paste restriction, its unlikely you’ll want this restriction on many users unless you are on a very restricted sites.
Other options on this policy are to only block copy and paste if certain words or phrases are found or on levels of sensitivity of the documents.
In this option Ive turned off content inspection, if this is ticked you can set restrictions of Copy paste based on phrases or sensitivity of documents
Save your policy
Result
On an unmanaged device through a browser
You will be warned your session is being monitored when you open Outlook
Go into an email and attempt to download an attachment
You will recieve the message your download is blocked
You will also receive a Blocked content message if you attempt to copy and paste also
NOTES
Try to seperate your policies by groups often your finanace dept will have more restrictions for example your design dept
Cloud App security relies on Conditional Access to send your users to it, just setting the policy in Cloud App Security wont do anything on its own
Add another policy to Block Desktop apps and exclude Compliant and managed devices in Conditional Access this way your cloud apps are completely secured and only accessible on corporate devices.
