In this post we will discuss about Session policies and how we can build a mechanism using Microsoft Defender for Cloud apps to block specific actions such as copy, paste etc.
Let’s start by first understand what it Defender for Cloud apps. As per Microsoft, Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that supports various deployment modes including log collection, API connectors, and reverse proxy. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your Microsoft and third-party cloud services. Essentially it helps us protect our clouds apps and the data used by them.
Session policies which are configured through Microsoft Defender for Cloud apps help us control the session of users and the actions that they are allowed to performed when they are connected to a cloud application of the organization.
In this guide we will explore the functionalities it provides to us and the way to create a session policy to prevent users from copying and pasting data outside their current session when accessing a corporate application from their browser.
Table of Contents
Conditional Access Policy
We have to initially create a conditional access policy, in which we will choose the Conditional Access App control as session policy. Check this post in which we created a simple conditional access policy for MS Teams.
To create a new conditional access policy, head to Azure AD and select Security.
Choose Conditional Access Policy and “Create new policy”.
Give a name to your Conditional Access Policy and select the users or groups to which the policy will be applied.
In this case we chose one user for testing purposes.
Next select the application to which we will apply the conditional access and session policy. We choose Office 365 cloud app to prevent users from copy/pasting sensitive data from all Office 365 apps (MS Teams, Word Online etc.). We can choose many predefined or registered application for this kind of policy.
To apply this policy to applications accessed via a browser we have to select Browser in the Client apps section under Conditions.
Now we have to enable Conditional Access App Control. Move to Session tab, and select it. Choose “Use custom policy” to be able to create any customization on the policies.
We have completed our setup. Now before enabling the policy select the activation type (Report-only, On, Off). I propose to use Report-only if you are conducting tests or On to experience the results of the policy as a test user.
Application Sign-In – Conditional Access App Control apps
Now that the Conditional Access Policy is ready, it is extremely important to proceed to a fresh sign-in to the applications to which you want the policies to be applied (sign in to each app configured in the above policy). That must be done in order for Defender for Cloud Apps to sync the policy details to its servers for each new app you sign in to. This may take up to one minute. Just be sure to sign-out from every application before trying to sign-in.
In our case the test user we included in the Conditional Access Policy should proceed to the sign-in in Office 365 web portal and preferably to other applications like MS Teams, Outlook, Office etc..
To ensure that the application are synced with Defender for Cloud Apps navigate to Defender 365 portal and check Conditional Access App Control apps under settings. There you should see the application you just signed-in. Check the steps below to find out if the applications are synced.
For the application you just signed-in click “Onboard with session control” to onboard the application and allow monitoring and security actions on them.
Session Policy
Now that the Conditional Access Policy is ready, we have signed-in to the applications we had to, onboarded them on session control, let’s create the Session Policy itself.
Navigate to Microsoft 365 Defender portal and create a new policy.
It is important to mention here that in case we haven’t done the process from the beginning and we haven’t registered the applications with Session control, then the below error will appear. To avoid this error be sure to onboard the desired application with Conditional Access App control.
Select Session Policy.
At the next step for convenient select a Policy template. For our case here select the policy mentioning blocking copy and paste.
It is a good practice here to add the application at the filters field. Its time you proceed to a sign-in to an application that is not listed here, but is part of Microsoft 365 applications suite, the application will be added automatically to the policy.
Uncheck “Use content inspection” and ensure that the block access is selected. Here we can also notify the user and selected administrators about the monitored block actions.
After configuring every setting, create the application.
User Experience
Now that the session policy is in place let’s try to connect with a target user and check the user experience.
After the user connects to the application a relevant message indicating that the session is monitored is displayed.
By clicking continue the user is connected to the portal. As you can see below the application is opened through the mcas proxy.
If a user tries to copy or paste something then the following message will be shown.
References and documentation: