PRACTITIONER GUIDE | CLOUD SECURITY
Practitioner GuideUpdated 10 min read

Microsoft Defender for Cloud Apps Session Policies: Block Downloads on Unmanaged Devices Without Blocking Access

Inline proxy
MDCA routes sessions through its reverse proxy to inspect and enforce session policies
E5 or EMS E5
License required for Conditional Access App Control -- included in M365 E5
Block download
Most common session policy: allow view, block download on unmanaged devices

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The BYOD access dilemma: employees need to access Microsoft 365 from personal devices for legitimate reasons (travel, home use, emergencies), but allowing full access from an unmanaged device means sensitive files can be downloaded to a device with no endpoint security, no encryption enforcement, and no corporate control. Blocking all access from unmanaged devices reduces productivity and creates shadow IT. MDCA session policies solve this with a middle path: allow access, monitor activity, block only data exfiltration actions (downloads, uploads of sensitive files, clipboard operations). This guide covers the configuration from Conditional Access routing through session policy creation.

Route Unmanaged Device Sessions Through MDCA

Session policies only apply to sessions that are proxied through MDCA. This routing is configured in Conditional Access. Create a Conditional Access policy: Name: Route Unmanaged Devices to MDCA. Assignments > Users: Include All Users. Exclude break-glass accounts. Conditions > Filter for devices: set to 'Exclude compliant and Entra hybrid joined devices' (this targets the unmanaged device sessions). Cloud Apps: Include the apps you want to control (SharePoint Online, Exchange Online, Teams -- add each separately or use the Office 365 suite app). Session > Use Conditional Access App Control = Use custom policy. This CA policy does not block access on its own -- it routes the session to MDCA for inspection. All sessions from non-compliant, non-joined devices to these apps will now transit the MDCA proxy. Managed device sessions are unaffected.

Create the Download Block Session Policy in MDCA

In the Defender for Cloud Apps portal (security.microsoft.com > Cloud Apps > Policies), navigate to Policy Management > Session Policies > Create Policy > Session Policy. Name: Block Downloads on Unmanaged Devices. Session control type: Control file download (with inspection). Under Activities, set: App = SharePoint Online (and repeat for other apps), User = All users, Device tag: not equal to 'Compliant' and not equal to 'Domain joined'. Under Files, you can scope to specific sensitivity labels (to only block download of sensitive labeled files while allowing download of public files) or apply to all files. Action: Block. Optionally check 'Notify user' to display a message explaining why the download was blocked. Test before enforcement: use the MDCA built-in simulation mode -- run the policy in Monitor mode first to see what downloads would have been blocked. After confirming the scope matches expectations, switch to Block.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Add Clipboard and Print Restrictions for Sensitive Data

Download blocking does not prevent a user from copy-pasting document content into an email or taking screenshots. For environments with highly sensitive data, add clipboard and print restrictions: Create a second session policy: Session control type = Block activities. Activities: Clipboard operations (cut, copy) from SharePoint Online on unmanaged devices. This prevents users from copying document text to clipboard applications. Create a third policy for printing: Block activities > Print from SharePoint Online and Exchange Online on unmanaged devices. Limitations: clipboard blocking applies to browser-based sessions only. Desktop applications (Outlook desktop, Teams desktop) require Intune app protection policies for clipboard control -- session policies only control the web browser session proxied through MDCA. For most BYOD scenarios, users access Microsoft 365 via browser on personal devices, making browser-level session policies effective.

Handle the User Experience and Common Issues

When sessions are proxied through MDCA, the URL changes from sharepoint.com to sharepoint.com.mcas.ms. Warn users about this change -- some users report the changed URL as a phishing indicator. You can configure a custom block message that appears when a download is blocked, explaining the policy. Common issues: browser certificate errors (some browsers may warn about the MDCA certificate before users add an exception), Outlook Web App session handling (OWA sometimes breaks when heavily proxied -- test thoroughly), and sync client conflicts (the OneDrive sync client is a desktop application and does not go through the browser proxy; syncing is effectively a download, control it via Intune app protection policy on unmanaged devices separately). The most reliable scope for MDCA session policies is browser-only access on unmanaged devices -- desktop application data protection should be handled by app protection policies.

Monitor Session Policy Activity

MDCA logs all session policy activity in the activity log (Investigate > Activity Log). Filter by policy name to see all blocked downloads, allowed downloads, and flagged activities. Key metrics to review weekly: volume of blocked downloads by user and app (high volumes may indicate policy misconfiguration or a user actively attempting to exfiltrate data), blocked activities from specific users repeatedly (investigate individual patterns), and risky activities from the activity log (MDCA applies risk scoring and may flag sessions for review regardless of policy blocks). MDCA also integrates with Microsoft Sentinel via the Microsoft Defender for Cloud Apps data connector -- session policy violations appear as MDCA alerts in Sentinel. Create a Sentinel analytics rule to alert when the same user has 5 or more blocked download attempts in 1 hour (potential data exfiltration attempt rather than accidental policy trigger).

The bottom line

MDCA session policies provide the middle ground between full BYOD access (risky) and no unmanaged device access (inflexible). The configuration requires two components: a Conditional Access routing policy (to send unmanaged device sessions to MDCA) and a session policy in MDCA (to define what is blocked). The result is a BYOD experience where users can view and work with Microsoft 365 content on personal devices but cannot download files to those devices -- addressing the primary data exfiltration risk while maintaining productivity access.

Frequently asked questions

Does MDCA session policy work with the Teams desktop application?

MDCA Conditional Access App Control primarily controls browser-based sessions. The Teams desktop application uses OAuth tokens to access Microsoft services and does not route through the MDCA browser proxy. To control what Teams desktop users can do on unmanaged devices, use Intune App Protection Policies (APP) configured for the Teams application. These policies can block copy-paste, screenshot, and file save operations in the Teams desktop and mobile applications without requiring device enrollment. Browser-based Teams access is controlled by MDCA session policies.

What is the performance impact of MDCA session proxying?

MDCA sessions are routed through Microsoft's proxy infrastructure (not a third-party service), so latency impact is generally low for users in regions with nearby Microsoft data centers. Most users report no noticeable difference for document viewing and communication tasks. High-bandwidth operations (downloading very large files -- over 100 MB) may be slightly slower due to proxy inspection. Microsoft has multiple MDCA proxy endpoints globally, and the routing selects the nearest proxy. For latency-sensitive applications, test with affected user populations before broad deployment.

Can a user bypass MDCA session policies by using the OneDrive sync client?

Yes, the OneDrive sync client connects directly to SharePoint Online using OAuth tokens and does not route through the MDCA browser proxy. To block sync client access on unmanaged devices, use a Conditional Access policy that requires a compliant or hybrid-joined device for OneDrive sync specifically (set the Cloud App to Microsoft OneDrive for Business and require compliant device). Alternatively, block the OneDrive sync client entirely on unmanaged devices via SharePoint admin center (OneDrive sync settings > Allow sync only for AAD-joined devices).

What license is required for MDCA Conditional Access App Control?

Microsoft Defender for Cloud Apps (formerly MCAS) is included in Microsoft 365 E5 and Microsoft Enterprise Mobility + Security (EMS) E5 licenses. It is also available as a standalone add-on. Conditional Access App Control specifically requires MDCA together with Entra ID P1 or P2 (Entra ID P1 is sufficient for the Conditional Access routing policy; MDCA itself handles the session inspection). Entra ID P1 is included in Microsoft 365 E3, so E3 + MDCA standalone is a common combination.

What is the difference between MDCA session policies and access policies?

Session policies apply after authentication succeeds and control what the user can do within the application: block downloads, watermark documents, block copy-paste, monitor file uploads. They operate at the session level -- the user is allowed in, but their actions are monitored and optionally blocked. Access policies apply at the authentication boundary and can block access entirely before a session is established -- for example, blocking access from unmanaged devices or from risky users. Use access policies for hard blocks (no access at all from these conditions) and session policies for partial-access scenarios (allow access but restrict data exfiltration capabilities). Both are configured in MDCA and both require the Conditional Access routing policy in Entra ID.

How do you configure Microsoft Defender for Cloud Apps to block file downloads from SharePoint on unmanaged devices without breaking managed device access?

The configuration requires a Conditional Access App Control policy in MDCA paired with an Entra ID Conditional Access policy that routes sessions through MDCA. Step one: in Entra ID, create a Conditional Access policy targeting SharePoint Online, set 'Session' control to 'Use Conditional Access App Control' with the 'Use custom policy' option -- this routes compliant managed device sessions through MDCA for monitoring and unmanaged device sessions for restriction. Step two: in MDCA (security.microsoft.com > Cloud Apps > Policies > Session policies), create a session policy with Activity type 'Download (with DLP)', target 'Unmanaged devices' as the device filter, and set Action to 'Block'. Add a DLP content inspection condition if you want to block only sensitive file downloads rather than all downloads. Test with a personal browser (no Intune compliance) to confirm the block applies, and test with a compliant managed device to confirm downloads work. The Conditional Access policy must not block managed devices at the Entra ID layer -- managed devices should pass through with session monitoring only.

Sources & references

  1. Microsoft: Protect Apps with Conditional Access App Control
  2. Microsoft: Create MDCA Session Policies

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.