Using Cloud App Security Session Controls to Protect Sensitive Data

Microsoft Cloud App Security (MCAS) is an amazing tool that a lot of organizations don’t seem to use to it’s full potential. There are a huge amount of third party apps supported and the flexibility it brings is fantastic. As a baseline, Cloud App Security Discovery is a great way to get insights into the web apps in use in the organization but in my opinion, the real value comes with controlling the functionality available to users on a very granular level.

One use case I have come across recently, is a customer who has fully adopted Unified Labelling for controlling classification of data, and had a requirement to control what could happen to that data based on some information about the particular session.

For example, let’s take the below scenario:

  • The customer has all new content labelled and classified using Sensitivity Labels
  • They have Intune Managed – Hybrid Azure AD Joined Devices
  • They have no location or device restrictions on access to Microsoft 365 via a Web Browser
  • The requirement is that documents without classification are only available to download from corporate, Intune managed devices
  • When data is classified, external download becomes available

To achieve this, we can implement MCAS Session Control Policies.

Conditional Access

The first step is to ensure our users are redirected to MCAS. To do this we can configure a Conditional Access policy in Azure AD, in this policy we specify the following:

  • This policy applies to all users except the Global Administrator
  • This policy applies to the “Office 365” suite of applications
  • This policy applies to
  • All authentications matching this policy are proxied via MCAS

With this policy set up, all Office 365 sessions will be redirected via MCAS. We can test this by visiting an Office 365 application in a web browser and verifying that everything looks correct, except we have a different URL, pointing to the MCAS service.

Configure Session Policy

Now that our users are connecting to Office 365 via MCAS, we need to set up some logic to protect our files. We create a new session control policy with the below configuration:

We could also take extra steps such as automatically apply protection to the data or link to a PowerAutomate flow for alerts.

Test

Now when our user tries to download unclassified content on a non-corporate device, they get this nice friendly message reminding them of our corporate policies:

Using MCAS Policies is a really nice way to secure those edge cases where that built in tools don’t offer a solution. This is just one example of many interesting use cases I’ve come across. Not to mention the integration with third party apps and the powerful discovery functionality.