How to block Cut, Copy, Paste and Print from an unmanaged device using Microsoft Cloud App Security (MCAS)


Its recommended to block cut, copy, paste and print of corporate data from an unmanaged device while using Microsoft 365 / Office 365 applications, e.g. Microsoft Teams, Sharepoint, Onedrive, Exchange Online etc. We are categorizing an unmanaged device as Microsoft Intune Non-Compliant device.

Using a combination of Conditional Access Policy and Microsoft Cloud app security (MCAS) Policy we can complete this task. In the following sections, we will first create a Policy on MCAS portal ( and then a Conditional Access Policy. Once these Policies are in place, we will perform testing from an unmanaged device to see what happens when we try to perform these actions.

Also Read: Connect Office 365 App with Microsoft Cloud App Security (MCAS), Integrate AAD with MCAS, Block Downloads using MCAS and CA Policies

Steps to block cut / copy / paste / print on unmanaged device

Before creating MCAS Policy make sure Office 365 app is connected. You can check the App connection status by going to MCAS Portal -> Investigate -> Connected apps -> App connectors. If you do not see office 365 app connected, then you can check this blog post for establishing the connection and then complete the steps in the following sections of this blog post.

Create MCAS policy to block Cut, Copy, Paste and Print Activity

Policy Template: Select Block cut/copy and paste based on real-time content inspection from the drop down.

Activity Source: Apply / Add below Filters:

Activity TypeequalsPrint, Cut/Copy item, Paste Item
App equalsMicrosoft Online Services
DeviceTagDoes not EqualIntune Compliant
MCAS policy to block Cut, Copy, Paste and Print Activity

Uncheck / Disable Use Content inspection Checkbox.

MCAS content inspection

In the Actions section, Select Block.

MCAS Actions

Click on Create to create this policy.

MCAS Policies

Create a Conditional Access(CA) policy

  • Login on Microsoft Azure Portal (
  • Search for Azure AD Conditional Access using search bar at the top.

Click on + New Policy to create a CA Policy and configure it as per below settings:

NamePrevent Cut, Copy, Paste, Print from Unmanaged Device
Users and GroupsInclude: All usersExclude: Breakglass AAD Security Group
Cloud apps or actionsSelect apps: Office365Exclude: None
ConditionsClient apps: Browser
Device StateInclude: All device stateExclude: Devices Marked as Compliant
SessionSelect Use Conditional Access App Control
Use Custom Policy

Testing out the policy from Unmanaged Device

Use any browser to access any Microsoft 365 Application for example Microsoft Teams. The app will get proxied through MCAS (you can confirm by checking the URL in address bar) and you will get below message while trying to access the application. Click on Continue to Microsoft Teams.

MCAS Access to Microsoft Teams is monitored

Now, its time to test the policy to see if its working fine. I tried to copy to or from Microsoft teams and I received below error message in the screenshot. Therefore, the testing is successfully completed and policies which we created in previous sections of this blog post are working fine. At this time if you have applied the conditional access policy to pilot users or test users, you can decide to apply it to all the users.

This action is blocked by your organization's security policy


Cloud app security is very powerful tool for the security of any organization w.r.t. Microsoft Cloud based applications and also third party cloud services. This article is just one example of how MCAS can help in securing the confidential data residing in organization cloud based services. MCAS can perform a lot more functions like Shadow IT Discovery (to identify all applications being used in your company by employees and calculate risk level), Information Protection, Threat Protection, Compliance and Reporting and more..

More Information

Leave a Comment