How to block external users from downloading files from Teams

  • Post author:
  • Post category:Main
  • Post last modified:August 7, 2023
  • Reading time:9 mins read

In this day and age, sharing data and collaborating on documents with users external to your organisation is an essential requirement for many businesses. Your users may want to share documents, reports, project files, images or even video files with clients or external users and it should be encouraged with training. 

By enabling your users to work with external parties from within the realm of your corporate-managed systems, you are minimising their desire to use 3rd party tools like Dropbox or WeTransfer to move sensitive data where proper thought would not have been given.

In this tutorial, I am going to show you how to can use Conditional Access with Cloud App Security in Azure Active Directory to prevent external users from downloading data from Microsoft Teams and other Office 365 services. 

Requirements

Unfortunately, we know that there are no freebies regarding valuable services in Azure. In order to use both Conditional Access and Cloud App Security you must have one of the following licenses:

  • Azure AD Premium P1
  • Microsoft Defender for Cloud Apps

Although Azure AD Premium P1 does include Cloud App Discovery, this is only to provide you with deeper insights into the cloud app usage in your environment. You will still need Microsoft Defender for Cloud Apps to provide real-time policy enforcement and in this case, block downloads.

Block external users from downloading files from Teams and SharePoint

Let’s look at how to implement the solution to block external users from downloading files from Microsoft Teams and SharePoint.

1. Start by logging into Azure Active Directory, then select Azure Active Directory > Security.

Select Azure Active Directory then Security
Select Azure Active Directory then Security

2. Under the Protect heading, select Conditional Access.

Select Conditional Access
Select Conditional Access

3. Select New policy to start the conditional access policy creation wizard.

Select New policy
Select New policy

4. Define a meaningful name for your policy and select the user’s assignments. Once the window appears on the right, click Select users and groups, check the box next to Guest or external users and select all user types in the available drop-down list. Lastly, check All to apply to app external AD organizations.

Define a name and select all external and guest users
Define a name and select all external and guest users

5. Next to Cloud apps or actions, click Select apps and choose the Office 365 app. This includes all Office 365 cloud services, including SharePoint and Teams.

Select Office 365
Select Office 365

The Office 365 app includes the following apps: (you can also select the individual app that suit)

  • Exchange Online
  • Microsoft 365 Search Service
  • Microsoft Forms
  • Microsoft Planner (ProjectWorkManagement)
  • Microsoft Stream
  • Microsoft Teams
  • Microsoft To-Do
  • Microsoft Flow
  • Microsoft Office 365 Portal
  • Microsoft Office client application
  • Microsoft Stream
  • Microsoft To-Do WebApp
  • Microsoft Whiteboard Services
  • Office Delve
  • Office Online
  • OneDrive
  • Power Apps
  • Power Automate
  • Security & compliance portal
  • SharePoint Online
  • Skype for Business Online
  • Skype and Teams Tenant Admin API
  • Sway
  • Yammer
  • 6. Under Access controls, select the following Grant control to enable external users to access Office 365, Require multifactor authentication. This will ensure that any external users must configure multi-factor authentication (based on your MFA policy).

    Grant controls
    Grant controls

    7. On the session controls page, check the box next to Use Conditional Access App Control and select Block downloads from the drop-down list.

    Block Downloads policy
    Block Downloads policy

    8. Lastly you can set the policy to On and click Create.

    Click create
    Click create

    Block external users from logging into desktop apps

    With the first conditional access policy, we have prevented downloading files from SharePoint and Teams through a web browser. A problem we have though is that users are still able to open the Team from the Teams desktop application and from there, download the files.

    To create the next policy, run through steps 1 > 5 above to create a similar policy.

    6. On the Conditions section, select Client apps.

    Select Conditions then Client apps
    Select Conditions then Client apps

    7. Click Yes under Configure, then select all options except the Browser option.

    Select all clients except the browser
    Select all clients except the browser

    8. On the Access controls section, select Block access.

    Block access
    Block access

    9. Lastly, set the policy to On and click Create.

    What the end-user experience looks like

    Once the policy is in place, you can expect the restrictions to apply once the external users’ current session refreshes, or instantly for external users logging in.

    When the external user clicks on the invitation to open the Team they have been added to, they will be asked to register for Multi-Factor authentication, once registered they will need to approve the login to access the Team.

    First sign in
    First sign in

    Before they can access the shared data they will also be notified that their session is being monitored and that they will only be able to access it from a web browser. (this is however untrue, the user will still be able to access and download files from within the Teams desktop client by default. We created the additional Conditional Access policy to block this behaviour.)

    Access is being monitored
    Access is being monitored

    Now that the user is able to access the shared data from Teams on the web, if they try to download the data they will receive the following notice.

    Download blocked
    Download blocked

    Also, for the user to access the files from within Teams, they will have to either choose the option to launch the desktop app when choosing to open the Team from their invitation email, or they can switch to their guest account from within Teams by selecting their icon at the top right and choosing (Organisation (Guest)). Either way, when they try and login to the desktop app they will see the following error.

    Desktop access blocked
    Desktop access blocked

    Daniel Bradley

    My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

    This Post Has 2 Comments

    1. Jean carlos Romero

      when i try to apply this Conditional access but MAM policy can only be applied to Android or iOS client platforms.

      1. Daniel

        Hi Jean! Yes that is correct, that setting only applies to Android and IOS platforms, so you can safely uncheck that option if you are applying to Windows Devices. I will update the post so it is clearer.

        Thanks!
        Dan

    Leave a Reply