Block download in Teams (Windows 10 application)
Hello, Is there a way to block data exfiltration (e.g. block download) to Windows 10 Microsoft Teams application (not the web version) in a real time protection manner? Since Intune MAM policies cannot be configured for Windows 10 the only option would be WIP? Thank you, GeorgeBlock upload of files to public locations likes gmail, dropbox etc using Microsoft Cloud App Securit
I have created AIP labels. I have applied them via Microsoft Cloud App Security File policy based on DLP rules. Working fine now. The objective is to stop those file upload to personal storage/email like gmail or dropbox. I looked upon the MCAS session policy which has session control type of control file upload (with DLP). I created one leaving App filter empty, added file filter to match classification labels with inspection method. Now it blocks file upload even to SharePoint Online. The conditional rule is on SPO and ExO with session control using custom policy for conditional access app control. How do I just block files to move out of environment rather blocking upload to SPO or other locations?
Conditional Access using certificate from Internal PKI
Hi, Hi all, Fairly new to Conditional Access. I have a scenario where we want to stop users accessing Office 365 applications if they are coming in from an external connection and don't have a certificate present issued by our internal PKI. Is there a policy that we can configure in conditional access that says: I am coming in from an external connection, look for a user/computer certificate on this device (be that laptop or mobile) and if present allow access. If not present, block access. Primarily the goal is to stop users accessing Office 365 from non corporate, external devices. This seems to fit the bill: https://docs.microsoft.com/en-gb/cloud-app-security/proxy-deployment-aad am I on the right track here? Could configure an app control policy for Office 365, and add a device control/tag to specify a valid client certificate is required? Regards ND
Failed log on (Failure message: Session information is not sufficient for single-sign-on.)
Hey All, I've recently a few impossible travel alerts in which the anomalous logins had the description "Failed log on (Failure message: Session information is not sufficient for single-sign-on.)". Three of these failed login events where seen but none were from IPs with bad reputation. The error code is 50058 for Office 365 SharePoint Online. Reading the description from https://login.microsoftonline.com/error for the error code, I'm not understanding how this activity would be triggered from an anomolous country without session information being stolen. Could anyone shed any light on this? Thankyou
Mass Download Alert
Trying to understand the information in a Mass Download Alert as it seems unclear. Could a mass download alert simply by the OneDrive agent performing a sync of a large number of files? If so how can i tell in what direction i.e. Syncing file from PC to OneDrive or syncing file from OneDrive to PC? If its a sync to or from a PC how can I tell what PC it is? Can I see if its a domain joined and therefore trusted PC. I ask as there could be a scenario that an Office 365 users credentials have been compromised. If they have the cred's and they load OneDrive app on any PC and then sync down the files. How can I tell what machine, trusted or not, it was? Thanks.EMS E3 CAS Discovery Functionality
When I look at the O365 EM+S E3 license setting in the O365 Admin Center, it shows Cloud App Security Discovery as an option. This page https://support.office.com/en-us/article/get-ready-for-office-365-cloud-app-security-d9ee4d67-f2b3-42b4-9c9e-c4529904990a?ui=en-US&rs=en-US&ad=US clearly states that we need E5 to get CAS, but does not mention Cloud App Security Discovery. Can someone please provide me the definitive answer about what is actually possible with EMS E3 regarding CAS.
What does Activity "SupervisoryReviewOLAudit" in Exchange mean - especially regarding EXTERNAL users
hi all I have recently noticed that I have a number of activity logs with "SupervisoryReviewOLAudit" in Exchange and the User is EXTERNAL. The external user also confuses it for me, for example, info@twitter.com and monitoring@bbc.co.uk Can anyone explain a few things 1/ what is the activity type - Run command: task SupervisoryReviewOLAudit 2/ and what do the external users mean in this case Let me know if I need to clarify any points or provide more detail. Thanks for reading, regards Jag
MDATP Integration - Unsanctioned Apps - Allow for some users?
Hi, I've reviewed the documentation @ https://docs.microsoft.com/en-us/cloud-app-security/governance-discovery in relation to blocking unsanctioned apps - specifically using MDATP on Win10 endpoints. The documentation doesn't mention anything about governance when using MDATP - Is the functionality similar to the integration with Zscaler and iBoss, where once an app is tagged as unsanctioned it is blocked on the endpoint for all users? Is there any way to provide greater granularity to the process - ie allow an app for some users and not for others or is it a binary choice for the entire organisation? Thanks Paul
