Mittwoch, 30. September 2020

Secure your environment by Conditional Access & App Controls

With the Azure AD Conditional Access feature, rules for access to Microsoft Cloud Services and other apps registered in Azure AD can be bound to conditions.

An example is the rule: When accessing with an unmanaged device, the user is prompted to use multi-factor authentication.

With the feature "Use Conditional Access App Control" as an option in the Session Controls area within Azure AD Conditional Access, advanced scenarios can be setup.


  • Prevent data exfiltration
  • Protect on download
  • Prevent upload of unlabeled files
  • Block potential malware
  • Monitor user sessions for compliance
  • Block access
  • Block custom activities


  • Automatically assign a sensitivity label when a file is downloaded.
  • Filter based on regular expressions: “Include Files that match a custom expression
  • Block Upload if Maleware is detected.
  • This is can be done because the Cloud App Security service then acts as a proxy for accessing the application:

Setup Conditional Access App Control

The options listed above affect all resisted apps under  By default, this list is empty:

To register an app, the wizard can be used in Cloud App Security via Investigate -> Connected Apps -> Conditional Access App Control Apps. Another and much simpler way is to use a conditional access policy as an easy start:

  1. Azure AD Security -> Conditional Access

  2. New Policy

  3. Section „Access controls“ -> „Session“

  4. Use „Use Conditional Access App Control“

  5. Use „Use custom policy to set an advanced policy in Cloud App Security“

Configure the policy in the menus "Users and Groups" etc. that it will be applied the next time the app to be registered is started. This then results in apps that are authenticated via Azure AD being automatically registered in Cloud App Security under „Conditional Access App Control“:

The above method works for the so called featured apps. In order to make this option work for the Office 365 Featured Apps, Office 365 must be registered under "Connected Apps" in Cloud App Security:

Once an app is registered, session policies can be created that will take effect when the app is used.

Example: If the user Oliver Hardy tries to download a document from Microsoft Teams (SharePoint) that contains the term "confidential", the download is blocked.

Further scenarios

  • Monitor / block activities based on file conditions like Classification Label, File Name, Files Size or File Extension
  • Apply rules based on Maleware detection
  • Apply classification label to downloads
  • Block downloads based on conditions
  • Monitor / block activities like Cut/Copy Item, Paste Item, Print Item, Send Item

Impact from the user's perspective

When opening the app, the user is notified that access is monitored by Cloud App Security. The fact that a proxy is involved can also be recognized by the URL. This now has the addition

If the user Oliver Hardy now tries to download a document he gets the following message:

Microsoft Information Protection – News from Ignite 2020

The Microsoft Ignite Conference 2020 was held online from 22.09. - 24.09. Besides many announcements around Microsoft Teams and Office 365 there were also some news about Microsoft Information Protection.

News from Ignite

Microsoft is combining data loss prevention and protection of sensitive data. DLP rules can now be defined in the sensitivity label:

Data Loss Prevention is an area that is currently under strong focus. This is a current and important topic not least because of the strong growth of home office regulations in the context of CORONA. Here an overview of the announcements:

  • Devices / Endpoint Integration and the Cloud App Security service can now be set as targets for DLP policies:

  • In the context of the Cloud App Security service, it is also possible to restrict which registered apps are affected by the policy:
  • Under the topic "Policy Settings" you can then control the effects of the policy in a very granular way:
  • A DLP policy can be run in test mode in the first step:
There will also be changes from the user's perspective. Here is an example of how DLP will affect Microsoft Teams:


By integrating DLP functions into Sensitivity Label and coupling it with the Cloud App Security and Endpoint Manager / Intune services, sensitive data can now be protected in a holistic approach. With the new options, protection is independent of the storage location, the tool used for editing and the device used. Nevertheless, users can still work flexibly with the data - even from the home office.

The key topics on the current roadmap at are: