Protecting Organizational Data in Unmanaged Devices (BYOD) with Microsoft Defender for Cloud Apps

Modern workplace environments have brought new security challenges, particularly when it comes to protecting sensitive data in cloud environments. With the increasing trend of remote working and bring your own device (BYOD), companies must ensure that their security measures are updated to keep their data safe in all environments. Microsoft Defender for Cloud Apps, formerly known as Microsoft Cloud Apps Security, offers a comprehensive solution as a Cloud Access Security Broker (CASB). It is a platform that allows you to monitor and control the usage of Azure AD accounts, devices, and third-party cloud apps by your users.

If you want to get additional information about Defender for Cloud Apps features, you can try Microsoft's documentation

 License 

Ensure you have obtained the necessary license for the Microsoft Defender for Cloud Apps before proceeding:

• Microsoft 365 E5, Microsoft 365 Compliance, Microsoft 365 Security
• Microsoft 365 Enterprise Mobility + Security E5
• Microsoft 365 F5 Security, F5 Compliance, F5 Security + Compliance

For pricing details, see the Microsoft 365 licensing datasheet

Now let’s try how we can secure our organization data from unmanaged devices with Defender for Cloud Apps. I will evaluate the policy on Windows clients. For mobile devices running iOS or Android, the Intune App Protection Policy can be utilized instead of the Defender for Cloud Apps.

Step 1: Conditional Access Policy 

Create a new policy

Users and groups: Select the user. Start with a test user!

Cloud apps or actions: Select Office 365

Conditions:

Device platforms: Windows

Filter for Devices:  exclude Device Hybrid Azure AD joined and Device marked as compliant. ( device.trustType -eq "ServerAD" -and device.isCompliant -eq True)

Session: Use Conditional Access App Control, Use custom policies

Step 2: Defender for Cloud Apps Settings

If you have already required license, you can access Defender for Cloud Apps Portal from Microsoft 365 Defender

Before you start, we must be sure that Defender for Cloud Apps is connected with Office 365.

Click “Connect an app”, select “Office 365” and click “Connect”. Be sure that you selected all components. 

If you attempt to create and set up a policy, you will receive a notification indicating that "you don’t have any apps deployed with Conditional Access App Connect".

This message means that to use the policy you are trying to create, you need to have at least one application deployed with Conditional Access App Connect.To resolve this issue, you will need to deploy an application with Conditional Access App Connect or after creating CA in Step 1 login with the test User (CA assigned user) to Office Apps and then try creating the policy again.

After logging in to several Office 365 applications through a web browser, you can see Connected Apps in the "Conditional Access App Control" section. It's important to verify that the user has been assigned the Conditional Access (CA) policy that was created in step one. This ensures that the policy will be effective and properly enforced for the user.

Step 3: Defender for Cloud Apps: Sessions and Access Policy

When using Microsoft Defender for Cloud Apps with Conditional Access, there are two types of policy configurations available: Access Policy and Session Policy. These policies provide different levels of control and security for cloud applications.

Session Policy

Select Session Policy to Create Policy.

Give Policy Name and Description.

select “Control file Download” from the Session control type.

Configure Activities matching 

Actions with Customize block message and Create

Access Policy 

As seen in the 'Visualized Explanation' image, an Access Policy is used to block Desktop App. This is because Session Policy only applies to browser-based apps and to block Desktop App from Unmanaged Devices, we need to use Access Policy.

To configure the Access Policy, follow the steps below:

- Select the Access Policy option, Configure it as described. 

Select 'Block' from the Action options, customize the block message, configure the alert as desired, and then click 'Create’.

Monitoring and Result

After creating both Access and Session policies, we can now test and monitor the results.

During the first login, the user will receive a notification indicating that their browser is now being forwarded to Defender for Cloud Apps

Session Policy blocking download File from Teams from Unmanaged Device Browser

Access Policy blocking Teams App from Unmanaged Windows App

Monitor from Defender for Cloud Apps Alerts

In conclusion, by using Defender for Cloud Apps and Conditional Access, we were able to manage our data from unmanaged Windows clients. The Session Policy provides real-time management of content (such as downloading, copying, and pasting) from browser-based apps, while the Access Policy blocks desktop applications from unmanaged clients