In this day and age, sharing data and collaborating on documents with users external to your organisation is an essential requirement for many businesses. Your users may want to share documents, reports, project files, images or even video files with clients or external users and it should be encouraged with training.
By enabling your users to work with external parties from within the realm of your corporate-managed systems, you are minimising their desire to use 3rd party tools like Dropbox or WeTransfer to move sensitive data where proper thought would not have been given.
In this tutorial, I am going to show you how to can use Conditional Access with Cloud App Security in Azure Active Directory to prevent external users from downloading data from Microsoft Teams and other Office 365 services.
Requirements
Unfortunately, we know that there are no freebies regarding valuable services in Azure. In order to use both Conditional Access and Cloud App Security you must have one of the following licenses:
- Azure AD Premium P1
- Microsoft Defender for Cloud Apps
Although Azure AD Premium P1 does include Cloud App Discovery, this is only to provide you with deeper insights into the cloud app usage in your environment. You will still need Microsoft Defender for Cloud Apps to provide real-time policy enforcement and in this case, block downloads.
Block external users from downloading files from Teams and SharePoint
Let’s look at how to implement the solution to block external users from downloading files from Microsoft Teams and SharePoint.
1. Start by logging into Azure Active Directory, then select Azure Active Directory > Security.
2. Under the Protect heading, select Conditional Access.
3. Select New policy to start the conditional access policy creation wizard.
4. Define a meaningful name for your policy and select the user’s assignments. Once the window appears on the right, click Select users and groups, check the box next to Guest or external users and select all user types in the available drop-down list. Lastly, check All to apply to app external AD organizations.
5. Next to Cloud apps or actions, click Select apps and choose the Office 365 app. This includes all Office 365 cloud services, including SharePoint and Teams.
The Office 365 app includes the following apps: (you can also select the individual app that suit)
6. Under Access controls, select the following Grant control to enable external users to access Office 365, Require multifactor authentication. This will ensure that any external users must configure multi-factor authentication (based on your MFA policy).
7. On the session controls page, check the box next to Use Conditional Access App Control and select Block downloads from the drop-down list.
8. Lastly you can set the policy to On and click Create.
Block external users from logging into desktop apps
With the first conditional access policy, we have prevented downloading files from SharePoint and Teams through a web browser. A problem we have though is that users are still able to open the Team from the Teams desktop application and from there, download the files.
To create the next policy, run through steps 1 > 5 above to create a similar policy.
6. On the Conditions section, select Client apps.
7. Click Yes under Configure, then select all options except the Browser option.
8. On the Access controls section, select Block access.
9. Lastly, set the policy to On and click Create.
What the end-user experience looks like
Once the policy is in place, you can expect the restrictions to apply once the external users’ current session refreshes, or instantly for external users logging in.
When the external user clicks on the invitation to open the Team they have been added to, they will be asked to register for Multi-Factor authentication, once registered they will need to approve the login to access the Team.
Before they can access the shared data they will also be notified that their session is being monitored and that they will only be able to access it from a web browser. (this is however untrue, the user will still be able to access and download files from within the Teams desktop client by default. We created the additional Conditional Access policy to block this behaviour.)
Now that the user is able to access the shared data from Teams on the web, if they try to download the data they will receive the following notice.
Also, for the user to access the files from within Teams, they will have to either choose the option to launch the desktop app when choosing to open the Team from their invitation email, or they can switch to their guest account from within Teams by selecting their icon at the top right and choosing (Organisation (Guest)). Either way, when they try and login to the desktop app they will see the following error.
when i try to apply this Conditional access but MAM policy can only be applied to Android or iOS client platforms.
Hi Jean! Yes that is correct, that setting only applies to Android and IOS platforms, so you can safely uncheck that option if you are applying to Windows Devices. I will update the post so it is clearer.
Thanks!
Dan