Microsoft Defender For Cloud Apps is a CASB (Cloud Access Security Broker). As the name suggests, CASBs act as a gatekeeper to broker access in real time between your enterprise users and cloud resources they use, wherever your users are located and regardless of the device they are using.

CASBs do this by discovering and providing visibility into Shadow IT and app use, monitoring user activities for anomalous behaviors, controlling access to your resources, providing the ability to classify and prevent sensitive information leak, protecting against malicious actors, and assessing the compliance of cloud services.

In this topic, I’ll show you how to use Conditional Access and Microsoft Defender for Cloud Apps to restrict Copy / Cut / Past in Office Online.

N.B: This feature works great with Microsoft Edge or Google Chrome. However, with other browsers you can experience weird behavior. In addition, the activity restrictions work only for Office Online and not for Microsoft 365 Apps.

Add connected apps to Microsoft Defender for Cloud Apps

If you connect to Microsoft Defender for Cloud Apps for the first time, you should not have any connected apps. At the moment of writing this topic, only a small number of applications are supported to restrict activities. Obviously, Office Online is supported. To connect to Microsoft Defender for Cloud Apps, you can browse this URL: https://<YOUR TENANT NAME>.portal.cloudappsecurity.com/

Next browse to Investigate and then connected apps. As the following screenshot, you should have nothing.

Microsoft Defender for Cloud Apps

Now open your Azure AD console and navigate through Security and Conditional Access. Create a new policy.

Conditional Access

For a proof of concept, apply this policy to a small amount of users. Then when you will want to make it available for everyone, you will have to select more users or groups.

Create a new policy

In Cloud Apps or Actions, select Office 365.

In Cloud Apps or Actions, select Office 365

Then in session, enable Use Conditional Access App Control to Monitor. When this setting is set to Monitor you will raise alerts for activities you chose to check. Even if you configure in Microsoft Defender for Cloud Apps a blocked activity, while this above setting is set to Monitor, the action won’t be blocked.

To apply policies you define in Microsoft Defender for Cloud Apps, you will have to set this setting to Use Custom Policy to apply what you defined in Microsoft Defender for Cloud Apps.

Use Conditional Access App Control to Monitor

Once the conditional access is applied, open Office Online.

Open Office Online

If you go back in Microsoft Defender for Cloud Apps, you should get some connected apps.

Connected apps

Block Copy cut and past in Office 365

Now that connected apps are available, navigate in Control and Policies. Here you can create several policies related to information protection, threat detection shadow IT and conditional access.

Control and Policies

Navigate to templates and select session policy type. On the right of Block Cut/copy and paste based on real-time content inspection, click on the “+” button.

Navigate to templates and select session policy type

Provide a name for your policy and leave other settings as they are. If you browse all the settings, you can see, or policies are working. In Activities matching you get the request applied to raise an alert and block the activities. This policy applies to all devices that are not compliant in Intune and for selected activities.

Activities matching

Now in Actions you can choose what happen for non-compliant devices where users are doing copy, past and cut. In this example, these activities are blocked, and a custom message is displayed to users. In addition, an alert will be raised in Microsoft Defender for Cloud Apps.

Actions

If you open again Office Online and you try to do a copy / cut or past, you should get a pop-up which indicates that the action is blocked.

The action is blocked

 

An alert should also be raised in Microsoft Defender for Cloud Apps.

Alerts

StarWind Backup Appliance (BA) is an industry-first all-NVMe backup appliance that provides unprecedented levels of backup and recovery speed. It comes as a tiny, pre-configured, ready-to-backup solution that eliminates the backup server storage bottleneck and fits even the strictest RTPO. Consisting of the best commodity hardware, your chosen hypervisor, and a StarWind SDS engine backed by 24/7/365 ProActive Support, StarWind BA ushers in a new age of a future-proof, eco-friendly, transparent, and reasonably priced backup infrastructure. Explore Backup Appliance from StarWind StarWind Backup Appliance Datasheet
Back to blog