Overview
Its recommended to block cut, copy, paste and print of corporate data from an unmanaged device while using Microsoft 365 / Office 365 applications, e.g. Microsoft Teams, Sharepoint, Onedrive, Exchange Online etc. We are categorizing an unmanaged device as Microsoft Intune Non-Compliant device.
Using a combination of Conditional Access Policy and Microsoft Cloud app security (MCAS) Policy we can complete this task. In the following sections, we will first create a Policy on MCAS portal (https://portal.cloudappsecurity.com) and then a Conditional Access Policy. Once these Policies are in place, we will perform testing from an unmanaged device to see what happens when we try to perform these actions.
Steps to block cut / copy / paste / print on unmanaged device
Before creating MCAS Policy make sure Office 365 app is connected. You can check the App connection status by going to MCAS Portal -> Investigate -> Connected apps -> App connectors. If you do not see office 365 app connected, then you can check this blog post for establishing the connection and then complete the steps in the following sections of this blog post.
Create MCAS policy to block Cut, Copy, Paste and Print Activity
- Login on Microsoft cloud App security portal.
- Go to Control -> Policies -> Conditional Access.
- Click on + Create Policy -> Session Policy.
Policy Template: Select Block cut/copy and paste based on real-time content inspection from the drop down.
Activity Source: Apply / Add below Filters:
| Activity Type | equals | Print, Cut/Copy item, Paste Item | |
| App | equals | Microsoft Online Services | |
| Device | Tag | Does not Equal | Intune Compliant |
Uncheck / Disable Use Content inspection Checkbox.
In the Actions section, Select Block.
Click on Create to create this policy.
Create a Conditional Access(CA) policy
- Login on Microsoft Azure Portal (https://portal.azure.com)
- Search for Azure AD Conditional Access using search bar at the top.
Click on + New Policy to create a CA Policy and configure it as per below settings:
| Name | Prevent Cut, Copy, Paste, Print from Unmanaged Device | |
| Users and Groups | Include: All users | Exclude: Breakglass AAD Security Group |
| Cloud apps or actions | Select apps: Office365 | Exclude: None |
| Conditions | Client apps: Browser | |
| Device State | Include: All device state | Exclude: Devices Marked as Compliant |
| Session | Select Use Conditional Access App Control Use Custom Policy |
Testing out the policy from Unmanaged Device
Use any browser to access any Microsoft 365 Application for example Microsoft Teams. The app will get proxied through MCAS (you can confirm by checking the URL in address bar) and you will get below message while trying to access the application. Click on Continue to Microsoft Teams.
Now, its time to test the policy to see if its working fine. I tried to copy to or from Microsoft teams and I received below error message in the screenshot. Therefore, the testing is successfully completed and policies which we created in previous sections of this blog post are working fine. At this time if you have applied the conditional access policy to pilot users or test users, you can decide to apply it to all the users.
Conclusion
Cloud app security is very powerful tool for the security of any organization w.r.t. Microsoft Cloud based applications and also third party cloud services. This article is just one example of how MCAS can help in securing the confidential data residing in organization cloud based services. MCAS can perform a lot more functions like Shadow IT Discovery (to identify all applications being used in your company by employees and calculate risk level), Information Protection, Threat Protection, Compliance and Reporting and more..
