Block download in Teams (Windows 10 application)

%3CLINGO-SUB%20id%3D%22lingo-sub-1309662%22%20slang%3D%22en-US%22%3EBlock%20download%20in%20Teams%20(Windows%2010%20application)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1309662%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHello%2C%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIs%20there%20a%20way%20to%20block%20data%20exfiltration%26nbsp%3B(e.g.%20block%20download)%20to%20Windows%2010%20%3CSTRONG%3EMicrosoft%20Teams%3C%2FSTRONG%3E%20application%20(not%20the%20web%20version)%20in%20a%20real%20time%20protection%20manner%3F%20Since%20Intune%20MAM%20policies%20cannot%20be%20configured%20for%20Windows%2010%20the%20only%20option%20would%20be%20WIP%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThank%20you%2C%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EGeorge%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1309662%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EBlock%20sensitive%20data%20file%20downloads%20onto%20personal%20desktops%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1315982%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20download%20in%20Teams%20(Windows%2010%20application)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1315982%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EYou%20can%20block%20downloads%20in%20SharePoint%20Online%20and%20Ondrive%20%2C%3C%2FP%3E%3CP%3E-Conditional%20Access%20Policy%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22p1%22%3E%3CSTRONG%3EControl%20access%20from%20unmanaged%20devices%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Fcontrol-access-from-unmanaged-devices%3FredirectSourcePath%3D%25252fen-us%25252farticle%25252fcontrol-access-from-unmanaged-devices-5ae550c4-bd20-4257-847b-5c20fb053622%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Fcontrol-access-from-unmanaged-devices%3FredirectSourcePath%3D%25252fen-us%25252farticle%25252fcontrol-access-from-unmanaged-devices-5ae550c4-bd20-4257-847b-5c20fb053622%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMicrosoft%20recommends%20you%20protect%20content%20in%20SharePoint%20sites%20with%20sensitive%20and%20highly-regulated%20content%20with%20device%20access%20controls.%20You%20do%20this%20by%20creating%20a%20policy%20that%20specifies%20the%20level%20of%20protection%20and%20the%20sites%20to%20apply%20the%20protection%20to.%3C%2FP%3E%3CUL%3E%3CLI%3ESensitive%20sites%3A%20Allow%20browser-only%20access.%20This%20prevents%20users%20from%20editing%20and%20downloading%20files.%3C%2FLI%3E%3CLI%3EHighly%20regulated%20sites%3A%20Block%20access%20from%20unmanaged%20devices.%3C%2FLI%3E%3C%2FUL%3E%3CP%3ESee%20%22Block%20or%20limit%20access%20to%20specific%20SharePoint%20site%20collections%20or%20OneDrive%20accounts%22%20in%20this%20article%3A%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Farticle%2FControl-access-from-unmanaged-devices-5ae550c4-bd20-4257-847b-5c20fb053622%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EControl%20access%20from%20unmanaged%20devices%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F210335%22%20target%3D%22_blank%22%3E%40George%20Smyrlis%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1318392%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20download%20in%20Teams%20(Windows%2010%20application)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1318392%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F419565%22%20target%3D%22_blank%22%3E%40Lassaad_TOUKABRI%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGreat%20answer.%20%26nbsp%3BAlso%20worth%20pointing%20out%20that%20Conditional%20Access%20requires%20a%20minimum%20of%20Azure%20AD%20Premium%20P1%20licence%2C%20and%20to%20use%20session%20controls%20you%20will%20also%20need%20to%20be%20licensed%20for%20Cloud%20App%20Security.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1322455%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20download%20in%20Teams%20(Windows%2010%20application)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1322455%22%20slang%3D%22en-US%22%3E%3CP%3EMCAS%20cannot%20enforce%20session%20policies%20on%20desktop%2Fnative%20apps.%20Session%20policies%20and%20controls%20(including%20block%20downloads)%20are%20limited%20to%20browser%20sessions%20only.%20This%20is%20documented%20at%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fsession-policy-aad%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fsession-policy-aad%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20native%2Fdesktop%20apps%2C%20MCAS%20can%20allow%20or%20block%20access%20completely%20using%20a%20CAS%20Access%20policy%20but%20this%20does%20not%20allow%20granular%20control%20over%20activities.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EA%20typical%20implementation%20in%20a%20scenario%20where%20one%20wants%20to%20limit%20downloading%20of%20files%20for%20users%20on%20non-compliant%20or%20non-hybrid%20joined%20machines%2C%20is%20to%20have%20a%20CA%20policy%20in%20AAD%20conditional%20access%20to%20forward%20sessions%20to%20CAS%20(using%20the%20'use%20custom%20policy'%20option)%20and%20a%20CAS%20access%20policy%20to%20block%20desktop%2Fnative%20apps%20(and%20force%20users%20to%20web-apps)%20and%20a%20CAS%20session%20policy%20to%20block%2Fcontrol%20downloads%20in%20these%20web-app%20sessions.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1646019%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20download%20in%20Teams%20(Windows%2010%20application)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1646019%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F579305%22%20target%3D%22_blank%22%3E%40rajatm%3C%2FA%3E%26nbsp%3B%2C%20In%20your%20suggestion%20below%20can%20you%20explain%20how%20i%20create%20an%20CAS%20policy%20to%20block%20native%20apps%20and%20force%20users%20to%20use%20the%20Web%20app%26nbsp%3B%3CSPAN%3E%26nbsp%3B%22%3CEM%3ECAS%20access%20policy%20to%20block%20desktop%2Fnative%20apps%20(and%20force%20users%20to%20web-apps)%20and%20a%20CAS%20session%20policy%20to%20block%2Fcontrol%20downloads%20in%20these%20web-app%20sessions.%22%3C%2FEM%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20an%20access%20control%20policy%20for%20native%20client%20as%20follows%3A%3C%2FP%3E%3CP%3EACCESS%20POLICY%3C%2FP%3E%3CP%3EDevice%2B%20tag%2B%20does%20not%20equal%20%3DIntune%20Compliant%20%2C%20Hybrid%20Compliant.%26nbsp%3B%3C%2FP%3E%3CP%3EApp%3DMicrosoft%20teams%3C%2FP%3E%3CP%3EUser%20Agent%20tag%20%3DNative%20Client%26nbsp%3B%3C%2FP%3E%3CP%3EUSer%20%2BNAme%20%3D%20(User)%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESession%20Policy%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Control%20file%20downloads%20with%20Inspection%3C%2FP%3E%3CP%3Eapp%3DMicrosoft%20teams%3C%2FP%3E%3CP%3EUSer%20%2BName%20%3D(User)%26nbsp%3B%3C%2FP%3E%3CP%3EDevice%2Btag%3DHybridAzure%20Ad%20joined%2CIntune%20compliant%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ecant%20seem%20to%20get%20users%20on%20a%20Non%20Supported%20device%20be%20stopped%20from%20downloading%20files%20from%20teams.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1646059%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20download%20in%20Teams%20(Windows%2010%20application)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1646059%22%20slang%3D%22en-US%22%3E%3CP%3Ehello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F583797%22%20target%3D%22_blank%22%3E%40gd2020%3C%2FA%3E%26nbsp%3B%2C%20you%20should%20add%20a%20'client%20app'%20%3D%3D%20'Mobile%20or%20desktop'%20filter%20to%20the%20access%20policy.%20without%20this%20filter%2C%20access%20policies%20only%20apply%20to%20browsers.%20this%20is%20documented%20at%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fproxy-intro-aad%23access-controls%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fproxy-intro-aad%23access-controls%3C%2FA%3E%26nbsp%3B.%20this%20access%20policy%20should%20then%20block%20users%20from%20being%20able%20to%20sign-in%20to%20the%20Teams%20desktop%20app.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1732797%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20download%20in%20Teams%20(Windows%2010%20application)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1732797%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F579305%22%20target%3D%22_blank%22%3E%40rajatm%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETHank%20you%20!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1899067%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20download%20in%20Teams%20(Windows%2010%20application)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1899067%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F210335%22%20target%3D%22_blank%22%3E%40George%20Smyrlis%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Hello,

 

Is there a way to block data exfiltration (e.g. block download) to Windows 10 Microsoft Teams application (not the web version) in a real time protection manner? Since Intune MAM policies cannot be configured for Windows 10 the only option would be WIP?

 

Thank you,

George

7 Replies

Hello,

You can block downloads in SharePoint Online and Ondrive ,

-Conditional Access Policy 

 

Control access from unmanaged devices:

https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices?redirectSourcePath...

 

Microsoft recommends you protect content in SharePoint sites with sensitive and highly-regulated content with device access controls. You do this by creating a policy that specifies the level of protection and the sites to apply the protection to.

  • Sensitive sites: Allow browser-only access. This prevents users from editing and downloading files.
  • Highly regulated sites: Block access from unmanaged devices.

See "Block or limit access to specific SharePoint site collections or OneDrive accounts" in this article: Control access from unmanaged devices.

 

 

@George Smyrlis 

@Lassaad_TOUKABRI 

 

Great answer.  Also worth pointing out that Conditional Access requires a minimum of Azure AD Premium P1 licence, and to use session controls you will also need to be licensed for Cloud App Security.

MCAS cannot enforce session policies on desktop/native apps. Session policies and controls (including block downloads) are limited to browser sessions only. This is documented at: https://docs.microsoft.com/en-us/cloud-app-security/session-policy-aad

 

For native/desktop apps, MCAS can allow or block access completely using a CAS Access policy but this does not allow granular control over activities.

 

A typical implementation in a scenario where one wants to limit downloading of files for users on non-compliant or non-hybrid joined machines, is to have a CA policy in AAD conditional access to forward sessions to CAS (using the 'use custom policy' option) and a CAS access policy to block desktop/native apps (and force users to web-apps) and a CAS session policy to block/control downloads in these web-app sessions.

Hi @rajatm , In your suggestion below can you explain how i create an CAS policy to block native apps and force users to use the Web app  "CAS access policy to block desktop/native apps (and force users to web-apps) and a CAS session policy to block/control downloads in these web-app sessions."

 

I have an access control policy for native client as follows:

ACCESS POLICY

Device+ tag+ does not equal =Intune Compliant , Hybrid Compliant. 

App=Microsoft teams

User Agent tag =Native Client 

USer +NAme = (User) 

 

Session Policy 

- Control file downloads with Inspection

app=Microsoft teams

USer +Name =(User) 

Device+tag=HybridAzure Ad joined,Intune compliant

 

cant seem to get users on a Non Supported device be stopped from downloading files from teams.

 

 

 

hello @gd2020 , you should add a 'client app' == 'Mobile or desktop' filter to the access policy. without this filter, access policies only apply to browsers. this is documented at: https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad#access-controls . this access policy should then block users from being able to sign-in to the Teams desktop app. 

www.000webhost.com