Using Cloud Apps Security to restrict cut, copy, paste, printing, and file downloads from non-Intune compliant endpoints

Date:Sunday, Dec 13, 2020
Author: Paul Maggs
Reading Time: 9 minutes
Tags: Security and Compliance Cloud App Security
Categories: Security Tips

Microsoft’s Cloud Apps Security (MCAS) extends the conditional access configuration and alerting capabilities provided by Azure Active Directory. Many organisations rely on conditional access to control the devices people use to access corporate data, and in many instances to block access if devices do not meet compliance requirements.

But what happens if blocking access from unmanaged devices is too restrictive? What if an organisation needs to continue to support access from these devices and can access be enabled in a secure manner? The answer is yes!

Multiple MCAS policy options support unmanaged devices accessing corporate data in a secure manner with mechanisms in place controlling the actions able to be performed, including whether content may be copied, printed, or whether files can be downloaded. Additional options available include securing a document when it is downloaded by automatically applying information protection, whereby encryption is applied to control who has access to documents regardless of where they are stored, to blocking access from desktop applications.

Other benefits when using MCAS conditional access policies include:

Deploying MCAS conditional access policies is simple, yet there are several considerations required to ensure a successful implementation:

Populating MCAS Conditional Access Apps Control apps

Before you can configure a MCAS conditional access policy, you will need to ensure the appropriate connected apps are available from your MCAS portal.

  1. Sign into https://portal.cloudappsecurity.com

  2. Expand Investigate, select Connected Apps, then select Conditional Access App Controls apps

    Cloud App Security conntected apps

    Description: Cloud App Security conntected apps

If you do not see the application you want to control as part of your MCAS conditional access policy then you’ll need to create an Azure AD conditional access policy to route requests to MCAS prior to signing into the Office 365 service you want to include. Without this step you may not be able to configure the ‘Session control type’ required of the policy. This example highlights how to include Exchange Online:

  1. Sign into https://portal.azure.com

  2. Search for and open Azure AD Conditional Access

  3. Create a new policy and use the following settings:

    a. Users and groups: Scope to your test account, exempt any accounts a per your organisational policy, for example break glass

    b. Cloud apps or actions: All cloud apps

    c. Grant: Grant access (You will typically have other policies assigned enforcing MFA, etc)

    Azure AD conditional access grant configuration

    Description: Azure AD conditional access grant configuration

    d. Session: Enable ‘Use Conditional Access App Control’, from the dropdown list choose ‘Use custom policy’

    Azure AD conditional access session configuration

    Description: Azure AD conditional access session configuration

  4. Sign into https://outlook.office.com to force Exchange Online to be included as a connected app. Ensure the Azure AD conditional access policy is correctly redirecting the session to MCAS by reviewing the URL, when working correctly the domain portion of the URL ends .mcas.ms

    Outlook on the Web MCAS URL

    Description: Outlook on the Web MCAS URL
  5. Review your MCAS connected apps to ensure Exchange Online is now available as a conditional access app control app. You may repeat this step for other services you want to include in your policies

MCAS policy restricting cut, copy, paste, and print

Prior to completing this step, ensure the application you want to control is displayed as a conditional access app control app, located under connected apps. See the steps Populating MCAS Conditional Access Apps Control apps if you need to enable this functionality by creating an Azure AD conditional access policy to route requests to MCAS.

Be aware these policies disable cut, copy, and paste between multiple Office 365 browser sessions, for example you cannot open Outlook and Teams as separate browser tabs and then copy content from Outlook into Teams, and vice versa.

This example will block cut, copy, paste, and printing for the test account specified in the Azure AD conditional access policy when accessed from a non-Intune compliant device.

Complete the following steps to create policy blocking cut, copy, paste, and printing:

  1. Sign into https://portal.cloudappsecurity.com

  2. Expand Policies

  3. Select Create policy, select Session policy

  4. From the Policy template drop down, select Block cut/copy and paste based on real-time content inspection. Accept the policy template when prompted, provide a policy name

  5. Configure the Policy severity as low and Category as DLP

  6. The session control type should automatically be configured as Block activities

  7. Configure the Activity source with the following settings

    a. Activity type equals Cut/Copy item, Paste item, Print

    b. User Name equals ‘Add your test user account’

    c. Device Tag does not equal Intune compliant

  8. Uncheck ‘Use content inspection’.

  9. Configure Actions as Block, you may also select a custom message to be displayed when a violation is detected.

  10. Enable alerts, however, for this example email and SMS alerts will not be enabled

Example Policy:

Example policy configuration

Description: Example policy configuration

MCAS policy restricting file downloads

This example blocks file downloads when attempted by the test account specified in the Azure AD conditional access policy from a non-Intune compliant device.

This policy targets all file downloads, however, it is possible to scope restrictions for specific document types which is out of scope of this article.

Complete the following steps to create a policy blocking all file downloads:

  1. Sign into https://portal.cloudappsecurity.com

  2. Expand Policies

  3. Select Create policy, then select Session policy

  4. From the Policy template drop down, select Block cut/copy and paste based on real-time content inspection. Accept the policy template when prompted, provide a policy name

  5. Configure the Policy severity as low and Category as DLP

  6. The session control type should automatically be configured as Control file download (with inspection)

  7. Configure the Activity source with the following settings:

    a. User Name equals ‘Add your test user account’

    b. Device Tag does not equal Intune compliant

  8. Do not add any file filters

  9. Inspection method is configured as None

  10. Configure Actions as ‘Block’, you may also select a custom message to be displayed when a violation is detected. Notice the file options has an option to protect, this allows classification labels to be applied to downloads.

  11. Enable alerts, however, for this example email and SMS alerts will not be enabled

Example Policy:

Example policy configuration

Description: Example policy configuration

MCAS Policy Examples

Once the policies are deployed you can perform functional tests to validate the configuration is correct. To do so, complete the following tasks:

  1. Sign into https://outlook.office.com

  2. Open an email and attempt to copy the contents to the clipboard. A block message will appear as per below

    Cloud App Security block copy message

    Description: Cloud App Security block copy message
  3. Whilst viewing the email, select more options (…) dropdown, then select Print. Once the email is displayed in print view, select Print

  4. The print preview displays the message stating the action is blocked as per below

    Cloud App Security block print message

    Description: Cloud App Security block print message
  5. Select New message, add a Word document as an attachment. Send the document to yourself.

  6. Open the email containing the attachment, attempt to download the file. A block message will appear as per below

    Cloud App Security block download message

    Description: Cloud App Security block download message

    In additional to the block message, a text file is downloaded providing further details:

    Cloud App Security block download text file

    Description: Cloud App Security block download text file

MCAS Alerts

If you enabled alerting for your MCAS policies, the output will resemble the examples shown below. Notice there is a difference in the alert time showing in the dashboard (when the alert arrives into the dashboard) and the alert time when review the alert details (when the alert was triggered by the policy), so keep this in mind when performing investigations:

The alert from the dashboard:

Cloud App Security alert as shown from the alert dashboard

Description: Cloud App Security alert as shown from the alert dashboard

Selecting the alert provides additional information:

Addition alert information when selecting to review an alert from the alert dashboard

Description: Addition alert information when selecting to review an alert from the alert dashboard

An accounts investigation score is derived from all alert scores accumulated within the previous 7 days. The following example shows the block cut/copy and paste alert contributed 30 points to the total score of 422. Combined with other policies the investigation score highlights accounts performing activities which may be deemed risky and require further investigaton.

Cloud App Security investigation score

Description: Cloud App Security investigation score

Document