Block download in Teams (Windows 10 application)




Is there a way to block data exfiltration (e.g. block download) to Windows 10 Microsoft Teams application (not the web version) in a real time protection manner? Since Intune MAM policies cannot be configured for Windows 10 the only option would be WIP?


Thank you,


7 Replies


You can block downloads in SharePoint Online and Ondrive ,

-Conditional Access Policy 


Control access from unmanaged devices:


Microsoft recommends you protect content in SharePoint sites with sensitive and highly-regulated content with device access controls. You do this by creating a policy that specifies the level of protection and the sites to apply the protection to.

  • Sensitive sites: Allow browser-only access. This prevents users from editing and downloading files.
  • Highly regulated sites: Block access from unmanaged devices.

See "Block or limit access to specific SharePoint site collections or OneDrive accounts" in this article: Control access from unmanaged devices.



@George Smyrlis 



Great answer.  Also worth pointing out that Conditional Access requires a minimum of Azure AD Premium P1 licence, and to use session controls you will also need to be licensed for Cloud App Security.

MCAS cannot enforce session policies on desktop/native apps. Session policies and controls (including block downloads) are limited to browser sessions only. This is documented at:


For native/desktop apps, MCAS can allow or block access completely using a CAS Access policy but this does not allow granular control over activities.


A typical implementation in a scenario where one wants to limit downloading of files for users on non-compliant or non-hybrid joined machines, is to have a CA policy in AAD conditional access to forward sessions to CAS (using the 'use custom policy' option) and a CAS access policy to block desktop/native apps (and force users to web-apps) and a CAS session policy to block/control downloads in these web-app sessions.

Hi @rajatm , In your suggestion below can you explain how i create an CAS policy to block native apps and force users to use the Web app  "CAS access policy to block desktop/native apps (and force users to web-apps) and a CAS session policy to block/control downloads in these web-app sessions."


I have an access control policy for native client as follows:


Device+ tag+ does not equal =Intune Compliant , Hybrid Compliant. 

App=Microsoft teams

User Agent tag =Native Client 

USer +NAme = (User) 


Session Policy 

- Control file downloads with Inspection

app=Microsoft teams

USer +Name =(User) 

Device+tag=HybridAzure Ad joined,Intune compliant


cant seem to get users on a Non Supported device be stopped from downloading files from teams.




hello @gd2020 , you should add a 'client app' == 'Mobile or desktop' filter to the access policy. without this filter, access policies only apply to browsers. this is documented at: . this access policy should then block users from being able to sign-in to the Teams desktop app.