Modern Management - Part Fourteen – MCAS Blocking File Downloads

Many of the clients I work with have EM+S E5 and very rarely use all the great features it contains. A lot of businesses are in the process of either looking at or piloting Azure Information Protection (Azure AD P1 license) to protect corporate data but most aren't there yet. 

One feature that is often overlooked is the ability to use Conditional Access paired with Microsoft Cloud App Security to block the downloading of files to personal devices (non-Hybrid Azure AD joined devices or/and non-compliant devices).

Now although the implementation is very straight forward, please consider the impact this will have on the users it is assigned to. Please, Please, Please, make sure you test this and communicate the changes to your user base before deploying to production.

Let's take a look.

Modern Management - Part One - Autopilot Demo on Hyper-V
Modern Management - Part Two - Office 365 Deployment via Intune
Modern Management - Part Three - Packaging Win32 Application for Intune
Modern Management - Part Four - OneDrive Silent Configuration
Modern Management - Part Five - Windows Updates
Modern Management - Part Six - Resetting Autopilot Devices
Modern Management - Part Seven - Bitlocker
Modern Management - Part Eight - Windows Activation
Modern Management - Part Nine - BGinfo via Intune
Modern Management - Part Ten - Harvesting Autopilot Hardware IDs
Modern Management - Part Eleven - Migrate File Shares to Teams
Modern Management - Part Thirteen - Skype for Business to Teams Migration
Modern Management - Part Fourteen – MCAS Blocking File Downloads

The first thing we need to do is connect Office 365 to Cloud App Security through the portal at This simple process is documented at

Once connected we head over to the Azure Portal and then to Conditional Access. Here I have created a policy called ‘MCAS - Block Downloads’ which is applied to ‘All cloud apps

In this instance it is just applied to my own account:

Now we use the ‘Device State’ Conditions to exclude Hybrid Azure AD joined devices and compliant devices:

We then use a 'Session policy' to ‘’ to block downloads:

Once applied, users will be directed to online services through MCAS and be notified about this, here's an example for Teams:

You can can also tell this has taken effect by looking at the URL. You can now see we have as the top level domain in the URL:

Now if we browse to OneDrive on a non-Hybrid Azure AD joined device, and try to download a file:

We are blocked from downloading the data:

A txt file will be downloaded to inform you that this action was not allowed:

Now if we take at look in the Cloud App Security portal and then select ‘Investigate’ and review the activity log. We can see the download that was blocked by the policy:

And there we have it, your coporate data is safe from those devices you aren't aware of.