{"id":16055,"date":"2023-03-20T02:09:41","date_gmt":"2023-03-20T02:09:41","guid":{"rendered":"https:\/\/www.insentragroup.com\/us\/insights\/uncategorized\/block-external-users-from-downloading-files-in-office-365-using-conditional-access\/"},"modified":"2024-10-08T06:12:27","modified_gmt":"2024-10-08T06:12:27","slug":"block-external-users-from-downloading-files-in-office-365-using-conditional-access","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/us\/insights\/geek-speak\/modern-workplace\/block-external-users-from-downloading-files-in-office-365-using-conditional-access\/","title":{"rendered":"Block External Users from Downloading Files in Office 365 Using Conditional Access"},"content":{"rendered":"\n<p id=\"block-f64852f6-236a-4832-9f7b-87baf1a3f3a1\"><br>I have been working on several M365-related security projects recently. These primarily consisted of increasing the organization&#8217;s security posture and working towards a Zero Trust architecture. For everything you need to know about Zero Trust please take a look at the <a href=\"https:\/\/www.insentragroup.com\/us\/insights\/resources\/ebooks-and-guides\/the-ultimate-guide-to-zero-trust\/\" target=\"_blank\" rel=\"noreferrer noopener\">Ultimate Guide to Zero Trust<\/a>&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"block-1c14320c-dae9-4728-a192-841df077ca66\">Requirement<\/h3>\n\n\n\n<p id=\"block-35bbc0ae-f18a-4796-b5a6-1abdfa6f181a\">The customer (let\u2019s call them Contoso) has utilized external collaboration quite extensively. Contoso were happy to add external users to Contoso\u2019s internal Teams, however, they did not want external users to have the option to download any files so they can be used outside of Contoso\u2019s environment. Contoso are still on their <a href=\"https:\/\/www.insentragroup.com\/us\/insights\/geek-speak\/secure-workplace\/what-is-information-architecture-and-why-do-you-need-it\/\" target=\"_blank\" rel=\"noreferrer noopener\">Information Protection<\/a> journey so any kind of fancy labeling etc. was unfortunately not an option. With this in mind, we had to completely block access for external users. To achieve this requirement, the solution was to create a <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/conditional-access\/overview\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Conditional Access<\/a> policy. As always, there are a few prerequisites that are needed before Contoso can achieve the desired solution<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Azure AD Premium P1&nbsp;<\/li>\n\n\n\n<li>Microsoft Defender for Cloud Apps<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Solution<\/h3>\n\n\n\n<p>To implement this solution you need to have one of the below Azure AD admin roles assigned to your account&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Conditional Access Administrator (least privilege)<\/li>\n\n\n\n<li>Security Administrator<\/li>\n\n\n\n<li>Global Administrator<\/li>\n<\/ul>\n\n\n\n<p>All the configuration takes place within <a href=\"https:\/\/entra.microsoft.com\/#view\/Microsoft_AAD_IAM\/EntraNav.ReactView\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Microsoft Entra admin centre<\/a> &gt; Protect &amp; secure &gt; Conditional Access. To create this policy, please follow the below steps<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create a new policy&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"523\" height=\"282\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/03\/image-9.png\" alt=\"\" class=\"wp-image-16056\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/03\/image-9.png 523w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/03\/image-9-300x162.png 300w\" sizes=\"(max-width: 523px) 100vw, 523px\" \/><\/figure>\n\n\n\n<p>Give the CA policy an appropriate name, preferably in alignment with <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/architecture\/guide\/security\/conditional-access-framework\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Microsoft CA naming conventions<\/a>, for example, \u201cCA001: BLOCK &#8211; Block external users from downloading files in Office 365\u201d&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"519\" height=\"499\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/03\/image-10.png\" alt=\"\" class=\"wp-image-16058\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/03\/image-10.png 519w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/03\/image-10-300x288.png 300w\" sizes=\"(max-width: 519px) 100vw, 519px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Within Users &gt; Assignments select \u201cGuests or external users\u201d and all for &#8220;Specify external Azure AD organizations (preview)&#8221;&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"692\" height=\"464\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/03\/image-11.png\" alt=\"\" class=\"wp-image-16060\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/03\/image-11.png 692w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/03\/image-11-300x201.png 300w\" sizes=\"(max-width: 692px) 100vw, 692px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Within Cloud apps or actions &gt; Select apps and choose \u201cOffice 365\u201d. This will apply to all M365 services, if you require something more granular, for example, Exchange Online, then just select Exchange Online<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"709\" height=\"555\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/03\/image-12.png\" alt=\"\" class=\"wp-image-16062\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/03\/image-12.png 709w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/03\/image-12-300x235.png 300w\" sizes=\"(max-width: 709px) 100vw, 709px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Within Access controls > Grant select the following options. This will ensure external users must use MFA and can only access M365 services using an <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/conditional-access\/concept-conditional-access-grant#require-approved-client-app\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">approved client app<\/a>\u00a0<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"311\" height=\"884\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/03\/image-13.png\" alt=\"\" class=\"wp-image-16064\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/03\/image-13.png 311w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/03\/image-13-106x300.png 106w\" sizes=\"(max-width: 311px) 100vw, 311px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Lastly, within Access controls &gt; Session select the follow options. This will ensure the external users cannot download a local copy from any Contoso Teams they have been added to&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"325\" height=\"579\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/03\/image-14.png\" alt=\"\" class=\"wp-image-16066\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/03\/image-14.png 325w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/03\/image-14-168x300.png 168w\" sizes=\"(max-width: 325px) 100vw, 325px\" \/><\/figure>\n\n\n\n<p>That is you good to go! I would recommend enabling this policy as \u201cReport-only\u201d for a few days and keep an eye on the logs to ensure the CA policy is behaving as you expect it. Once you have confirmed The CA policy is meeting your expectations, you can enable the policy to \u201cOn\u201d and you can now relax that external users cannot download any M365 files.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">CONCLUSION<\/h2>\n\n\n\n<p>In conclusion, implementing a Conditional Access policy can help organizations like Contoso block external users from downloading files in Office 365, while ensuring their information is protected. Following the steps outlined in this article and enabling the policy as &#8220;Report-only&#8221; before going live can ensure the policy is working as expected. With this policy in place, organizations can confidently collaborate with external users while maintaining control over their data. Hopefully, this has been informative and helpful! If you need any further clarification, or a no thrills chat, <a href=\"https:\/\/www.insentragroup.com\/us\/contact\/\" target=\"_blank\" rel=\"noreferrer noopener\">contact us<\/a> at Insentra or read more of my <a href=\"https:\/\/www.insentragroup.com\/us\/insights\/insights-search-results\/?author=Ross%20Kirk\" target=\"_blank\" rel=\"noreferrer noopener\">Insentra Insights<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">RELATED ARTICLES<\/h2>\n\n\n\n<p><a href=\"https:\/\/www.insentragroup.com\/us\/insights\/geek-speak\/modern-workplace\/protecting-windows-virtual-desktop-wvd-with-okta-and-microsoft-azure-active-directory-conditional-access\/\" target=\"_blank\" rel=\"noreferrer noopener\">Protecting Windows Virtual Desktop (WVD) with OKTA and Microsoft Azure Active Directory Conditional Access<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.insentragroup.com\/us\/insights\/geek-speak\/secure-workplace\/how-to-allow-only-work-account-access-to-apps-using-intune\/\" target=\"_blank\" rel=\"noreferrer noopener\">How to allow only work account access to apps using Intune<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.insentragroup.com\/us\/insights\/geek-speak\/cloud-and-modern-data-center\/securing-and-optimising-access-to-azure-storage-accounts-with-azure-endpoints\/\" target=\"_blank\" rel=\"noreferrer noopener\">Securing and Optimising Access to Azure Storage Accounts with Azure Endpoints<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.insentragroup.com\/us\/insights\/geek-speak\/modern-workplace\/protecting-windows-virtual-desktop-wvd-with-okta-and-microsoft-azure-active-directory-conditional-access\/\" target=\"_blank\" rel=\"noreferrer noopener\">Protecting Windows Virtual Desktop (WVD) with OKTA and Microsoft Azure Active Directory Conditional Access<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Learn how to use Conditional Access to block external users from downloading files in Office 365, ensuring your organization&#8217;s information stays protected.<\/p>\n","protected":false},"author":121,"featured_media":16068,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[19],"tags":[],"class_list":["post-16055","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-modern-workplace","entry"],"_links":{"self":[{"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/posts\/16055","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/users\/121"}],"replies":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/comments?post=16055"}],"version-history":[{"count":10,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/posts\/16055\/revisions"}],"predecessor-version":[{"id":18714,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/posts\/16055\/revisions\/18714"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/media\/16068"}],"wp:attachment":[{"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/media?parent=16055"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/categories?post=16055"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/tags?post=16055"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}