Block OneDrive Downloads and Audit OneDrive Activity! (SharePoint too!)

Do you have a business requirement to block the download of specific files or file types from OneDrive? What about detailed auditing to understand what files are downloaded or viewed? Well, today is your lucky day – because this is all possible with Microsoft security technology and takes minutes to create. I’m going to walk you through how to do this, and in return, make you look like an IT Rockstar to your organization!

Note: There are other methods to restrict those files from being synchronized using the OneDrive desktop client, we won’t cover those today however (but are accessible in the SharePoint Online Admin Portal)

IMPORTANT: Nothing is 100% secure and it’s all about defense in depth. If you want that extra ply in the tinfoil hat, I highly recommend protecting and encrypting those files with Azure Information Protection as that extra layer of protection.

Also, it’s important to note,the method below at the time of this writing is in public preview.

Background:

My organization, an engineering firm, designs buildings for their commercial and government clients. These design plans often contain additional documentation that are in the form of a .PDF and sometimes photos in the form of a .JPEG (or .jpg).

Scenario:

These .PDF and .JPEG files are highly confidential and thus we want to make sure they never leave OneDrive in Office 365 and can only be viewed in a web browser. In other words, we need to block the ability for an end-user to download these two file types from OneDrive. So, how do we do this?

Solution:

Azure Active Directory Conditional Access and Microsoft Cloud App Security Conditional Access App Control to the rescue! These two products are part of Microsoft 365 E5 or EMS E5 or my new favorite: Microsoft 365 E3 + Identity & Threat Protection. The two products that make up this solution are Azure Active Directory and Microsoft Cloud App Security.

Let’s take a look at how to do this!

Step 1: Create a Azure AD Conditional Access Policy

From within the Azure portal -> Azure Active Directory -> Conditional Access -> New Policy I am going to create a new policy. First, give it a name, “OneDrive Block JPEG and PDF”. Next, assign it to specific users or groups of users. For testing purposes I’m assigning to Adele Vance (IMPORANT: Don’t lock yourself out! Careful planning is required when assigning to all users).

 

 

Next, add Office 365 SharePoint Online as the application to be applied to:

 

 

Under Session, select Use Conditional Access App Control, then click Done.

Next, click Enable policy to enable the policy and click Create.

 

Step 2: Launch OneDrive (via portal.office.com)

Wait 15 minutes for the new Conditional Access policy to propagate. Next, open a new browsing session (inprivate or on another computer) and logon as the test user that was just assigned to. In my case, I am going to sign in to portal.office.com in an in-private session as Adele. Browse to OneDrive in the Office portal and open a file in the web browser. Sign out of this web browsing session when done.

Step 3: Configure Microsoft Cloud App Security

We now need to configure Microsoft Cloud App Security (CAS) and create the appropriate policies.

To start, validate that OneDrive is a connected application by browsing to http://portal.cloudappsecurity.com and navigating to Investigate -> Connected Apps. Notice OneDrive for Business will be listed and connected: (Yes, you can also connect CAS to G-Suite, Box, and other apps!)

 

Next, click on Conditional Access App Control apps and OneDrive for Business will also be displayed:

Step 4: Create the Session Policy in Microsoft Cloud App Security

Next, we need to create the policy that will provide the session control when Adele uses OneDrive in the Office 365 Portal. To do this navigate to Control -> Policies, click New Policy and select Session Policy.

 


 

Let’s give the policy a name and description:

 

Next, under Session control type select Control file download (with DLP). Under Activity source and activity filters configure configure them per the screenshot below

 

 

Scroll down (leave content inspection blank and don’t check the box) and under Actions select Block. OPTIONAL: Configure user email notification or customize block message. When finished at the bottom of the page click Create.

Step 5: Test the User Experience

Now it’s time to test and validate this is the behavior we want. Open a new web browsing session and login as the test user. In my case, I’m going to login to portal.office365.com using Adele Vance’s account in an in-private browser session.


 

Once signed in, navigate to OneDrive in the Office 365 Portal. When you click on OneDrive, notice the splash page indicating this site is being monitored!

 

 

 

 

Also, notice the address of the site. It’s being proxied through CAS.MS indicating this session is being controlled by Cloud App Security:

 

Click Continue to Microsoft OneDrive for Business

Notice I have two files, a .PDF and a .JPEG in the OneDrive folder:

 

Hover the cursor over the PDF and click the ellipses, and select Download

 

Notice, the file download is blocked with a splash message indicating it’s blocked!

 

Now, I know what you’re wondering, “Matt what’s that file it wants to save?” When I open that file, it’s just a warning:

 

From here, within the Cloud App Security Portal, I can audit the activity and receive additional details around this attempt:

Additional alerting can be generated, with an email or SMS notification sent. Imagine having CAS send an email to your ticket system so you can be notified of this violation? What about sending to your SIEM? Endless possibilities.

Conclusion:

As you can see, with a bit of an open mind and creativity, possibilities to build true security solutions that lead to a real business outcome, is entirely possible. The total time spent creating this solution was 10 minutes. Don’t forget to test (which obviously will add to the 10 minutes) all the scenarios for this. Questions? Let me know in the comments below!

Enjoy and help us make this world more secure! –Matt Soseman

Intune: Upgrade Windows Pro to Enterprise AUTOMATICALLY!

Do you have a bunch of Windows 10 Pro devices and would like upgrade them to Windows 10 Enterprise? Microsoft 365 (specifically Microsoft Intune) can help you!

Note: For more information please reference Deploy Windows 10 Enterprise licenses. The following is an example on how to do this with Intune (assuming appropriate licenses have been purchased and assigned).

First, create a Microsoft Intune configuration policy. In the Azure Portal navigate to Microsoft Intune -> Device Configuration -> Profiles. Click Create Profile

Next, create a new Windows 10 and later profile, with a type of Edition Upgrade. Click Settings

 

 


Click Edition Upgrade

In the field Edition to upgrade to select Windows 10 Enterprise. In the Product Key field type in the product key (i.e. MAK). Then click OK


Click OK to save the Edition Upgrade. Click OK again then click Create


Next, click Assignments in the Assign to menu select All Users & Devices then click Save

Note: Your assignments may be different per your organization’s requirements. This is only an example. You could also assign only the machines in question, or use a dynamic security group that queries on the device serial number,etc.


On a virtual machine with Windows 10 1803, install Windows 10 Pro:

Note: I’m showing you this, to demonstrate the upgrade. Ideally you would sign in as an Organizational Account in the OOBE when installing Windows. However, if I did that here, you wouldn’t see that I’m coming from Pro 🙂

Notice it’s Windows 10 Pro:

 

Join the machine to Azure AD to receive the Intune policy:

Reboot the machine and sign in with the user’s Azure AD credentials. Once signed in, open System Information and notice that Windows has been upgraded to Enterprise!

This can be verified in the Intune portal under Device Status for the configuration policy that was previously created:

I hope you found this helpful. Questions? Please let me know in the comments below! Enjoy!

Ignite 2018: Matt’s list of recommended sessions

Microsoft Ignite 2018 is right around the corner, September 24 – 28 in Orlando Florida. While there are over 1591 sessions, I wanted to share with you the list of sessions that I will either be attending in-person or watching the on-demand version later when I get home. Please feel free to use this list to help create your personal schedule, or on-demand viewing list later. Also, be sure to follow me on Twitter @SosemanMatt and LinkedIn for updates while at Ignite. Here’s my recommendations from Ignite 2017 Enjoy!

Tip: Every year I spend ~200 hours watching Ignite sessions while running on the treadmill every evening or on an early Saturday morning to ensure I stay up to speed and keep my skills sharp. These sessions are addicting, and fun! They inspire me to go out and learn more, lab up a scenario, and gives me great stories to share with my peers, customers and partners.Click each session to be taken directly to that session’s page on the Microsoft Ignite website.

My Session: BRK3135 – Learn more about security and compliance for Microsoft Teams (Also working the Microsoft Secure Score booth throughout the week, come see me and connect!)

Must See:

THR2303 – How to Shift: Modern Desktop Deployment with Brad Anderson

GS008 – Microsoft security: How the cloud helps us all be more secure

GS006 – Modern teamwork: Transform collaboration and communications with Microsoft 365

GS004 – Simplify your IT management and level up with Microsoft 365

BRK3221 – Combat advanced cyber attacks with Microsoft Cloud App Security

BRK2158 – Elevate the security for all your cloud apps and services with the Microsoft CASB – Cloud App Security

KEY04 – Transform your workplace with Microsoft 365

BRK2295 – Sprint’s Microsoft 365 deployment acceleration strategies

BRK3401 – Azure Active Directory security insights with Conditional Access, Identity Protection, and reporting

BRK2468 – Security for your digital transformation

Office 365

BRK2102 – Better teamwork, together: SharePoint and OneDrive integration with Microsoft Teams

BRK2094 – The future of Yammer: Vision and roadmap

BRK2070 – New in Microsoft 365: Leadership engagement featuring live events

BRK2077 – Workplace Analytics & MyAnalytics: A review of data privacy and GDPR compliance

BRK2160 – The time for Teams: Scenarios to realize the value of Microsoft Teams

BRK2143 – Improving Health Team Collaboration using Microsoft Teams

BRK2140 – Accelerating GDPR compliance with Microsoft 365

BRK3398 – Best practices for a successful Video and Voice deployment on Microsoft Teams

BRK2440 – Citrix and Microsoft: Driving the future of work in the modern workplace, today!

BRK1059 – Enabling Firstline Workers with Microsoft Teams

BRK2393 – Get more done with Planner!

BRK2164 – The best (Outlook driven) day of your life

BRK2004 – The future of threat protection: Become efficient, cost effective, and more secure with Office 365 Threat Intelligence

BRK4002 – Securing your Office 365 environment from advanced phishing campaigns with Office 365 Advanced Threat Protection

Enterprise Mobility + Security

BRK3272 – Authentication and passwords: The good, the bad, and the really ugly!

BRK3401 – Azure Active Directory security insights with Conditional Access, Identity Protection, and reporting

BRK3285 – Deep dive into evolution of Windows app management with Intune

BRK3006 – Defend against mobile threats and increase user productivity with Intune-managed Edge browser

BRK2018 – Efficiently manage security with Microsoft

BRK3241 – Enable Azure Active Directory Conditional Access to secure user access while unlocking productivity across Microsoft 365

BRK2157 – Ensure comprehensive identity protection with Microsoft 365

BRK2157 – Ensure comprehensive identity protection with Microsoft 365

BRK3029 – Lessons from the field: protecting corporate data on any device with Microsoft Intune

BRK3103 – Manage and secure iOS and MacOS devices and apps with Microsoft Intune

BRK3117 – SecOps and incident response with Azure Advanced Threat Protection: Protect, detect, and respond

BRK4001 – Secure enterprise productivity with Office 365 threat protection services including EOP, ATP, and Threat Intelligence

Windows 10 Enterprise

BRK3018 – Deploying Windows 10 in the enterprise using traditional and modern techniques

BRK3038 – Windows 10 in S mode: Why you should care and how it works

BRK3039 – Windows 10 and Microsoft Office 365 ProPlus lifecycle and servicing update

BRK3017 – What’s new in Windows 10 mobile device management (MDM)

BRK3211 – Ask the experts: Successfully deploying, servicing, and managing Windows 10

BRK2420 – Beat the Windows 10 deployment clock

BRK3019 – Delivery Optimization deep dive: How to reduce internet bandwidth impact on your network

BRK3014 – Modern deployment with Windows Autopilot and Microsoft 365 (Part 1 of 2)

BRK3015 – Modern deployment with Windows Autopilot and Microsoft 365 (Part 2 of 2)

BRK2002 – Modern desktop deployment and management with Microsoft 365