Defender for Cloud Apps session policy

Most MSPs treat Conditional Access as a light switch. Allow or block. Compliant device or not.

That works right up until a director needs OneDrive from a hotel laptop. Or a contractor needs SharePoint from a personal Mac. So you carve an exception, and the exception slowly becomes the policy.

There’s a third option sitting between allow and block. Almost no one in the SMB world turns it on.

It’s called a session policy, and it lives inside Defender for Cloud Apps. If your client is on E5 or Microsoft 365 E5 Security, they’re already paying for it.

What is a session policy, really?

A session policy is a real-time guardrail that fires after the user signs in. It rides along inside the browser tab.

It can block a download. It can block an upload. It can block copy-paste. It can force a sensitivity label on a file before it leaves OneDrive. It can make a user re-prove MFA before doing something sensitive — all without touching the device.

That’s not access control. That’s session control. Think of it as a referee inside the meeting, not a bouncer at the door.

It needs two pieces to fire. A Conditional Access policy in Entra ID that routes the session through Defender for Cloud Apps using Conditional Access App Control. And a matching session policy in the Defender portal that decides what to do once the session is in flight. Microsoft’s own Conditional Access app control overview is worth a read because it shows the reverse-proxy path the session actually takes.

One licensing note. Defender for Cloud Apps is not in Business Premium. You need E5, M365 E5 Security, or the standalone MDCA add-on. Plenty of SMBs already have it bundled and never realise.

Step-by-Step: blocking download to unmanaged devices

The killer scenario. Someone signs in to OneDrive from a personal laptop. They can read. They can edit in the browser. They cannot save a single file locally. No agent, no Intune enrolment, no work touching their device.

Build the Conditional Access policy

In the Microsoft Entra admin centre, go to Protection > Conditional Access > Policies and start a new policy. Scope it to your pilot group. For the cloud app, choose Office 365. Leave Grant on Grant access with no requirements — the heavy lifting happens elsewhere.

Turn on App Control

In the Session block, tick Use Conditional Access App Control and pick Use custom policy from the dropdown. That single tick is what tells Entra to hand the session to Defender. The full guidance lives in the Microsoft Learn how-to.

Move to the Defender portal

Now jump to security.microsoft.com. Under Cloud apps > Policies > Policy management, create a new Session policy. Start from the Block download based on real-time content inspection template — it saves a lot of clicks.

Filter to OneDrive and unmanaged devices

Set Activity source to Office 365 > OneDrive for Business. Add a filter: Device tag = Unmanaged. The action becomes Block file download.

Write a real block message

Don’t ship the Microsoft default. Tell the user why the file won’t download and what to do next. A blank “blocked by policy” page makes users fight the system and ring the helpdesk.

Run it in monitor-only first

Set the policy to Monitor only for a week. Watch the activity log. Confirm you’re catching the right sessions, on the right apps, against the right users. Then flip to Block. Microsoft’s create-a-session-policy walkthrough covers the screens for both modes.

Why this actually changes behaviour

Here’s the real win. Your director still gets OneDrive on the hotel laptop. The board paper opens in the browser. They can read it, comment on it, work through it.

They cannot drop it into the hotel laptop’s downloads folder.

That’s not a compromise. That’s the policy doing what you actually wanted the whole time.

“But why can’t I just block unmanaged devices outright?”

You can. You’ll also block every legitimate contractor, every guest reviewer, every consultant on a personal machine. Block is a single-use tool. Session policy is a scalpel.

Notice what’s missing? No agent on the device. No MDM. No certificate enrolment. The browser gets reverse-proxied through an *.mcas.ms URL and the session is policed in flight. Edge users get it in-browser with no URL change.

A copy-paste summary of what you’ve actually built looks like this:

Session policy: OneDrive – Block download from unmanaged
  Activity source : Office 365 → OneDrive for Business
  Device filter   : Device tag = Unmanaged
  Action          : Block file download
  Block message   : Custom — explain WHY + WHAT TO DO
  Content scan    : All files
  Phase           : Monitor → Block after 7 days

Notice what’s not in there. No list of apps. No list of file types. The whole policy keys off the device tag, because that’s the bit you can trust — Entra knows whether a device is compliant or unmanaged; the user can’t lie about it.

Where MSPs trip up

Three things bite people on the first rollout.

The Conditional Access policy must include the session control. If App Control isn’t ticked in CA, nothing routes to Defender. Many MSPs build the two policies as separate stories. They’re one story.
Native clients bypass MDCA. Outlook desktop, OneDrive sync, Teams desktop — none of them route through the reverse proxy. If you genuinely need to force browser, use the Entra session control Use app enforced restrictions on top, and read the Conditional Access session controls page before you go further.
Certificate chains matter. If the SaaS app has a partial chain, the proxy goes sideways. Test before you scope wide.

My recommendation

If you’ve got a client on E5 or M365 E5 Security and you’re not running at least one session policy, you’re leaving the most valuable thing in their stack switched off. Walk in next Monday with exactly one policy — block download from unmanaged for OneDrive. Monitor for a week. Flip to block. Show them the activity log.

Session policies aren’t there to keep users out. They’re there to let them in without the data following them out.

How Microsoft Defender for Cloud Apps fortifies Microsoft 365

What is Microsoft Defender for Cloud Apps?

At its core, MDCA is a Cloud Access Security Broker (CASB). It sits between your users and cloud applications (like Microsoft 365) to provide:

Visibility: Discover and identify cloud services and apps being used, including Shadow IT. For M365, it gives deep insights into activities within Exchange Online, SharePoint Online, OneDrive, Teams, etc.
Data Security: Identify and control sensitive information (DLP capabilities) within M365, preventing data leakage.
Threat Protection: Detect anomalous behavior, malware, and other threats targeting your M365 data and users.
Compliance: Assess if your cloud app usage, including M365 configurations, aligns with compliance requirements.

How MDCA Improves Microsoft 365 Security:

Enhanced Visibility & Activity Monitoring:
- MDCA logs detailed activities within M365 (file shares, downloads, logins, admin changes, mail rule creations, etc.). This is far more granular than standard M365 audit logs alone and is presented in a way that’s easier to query and investigate.
- You can see who is accessing what, from where, and what they’re doing with the data.
Advanced Threat Detection & Anomaly Detection:
- MDCA uses User and Entity Behavior Analytics (UEBA) to learn normal user patterns. It can then flag suspicious activities like:
  - Impossible travel: Logins from geographically distant locations in a short time.
  - Mass downloads/deletions: A user suddenly downloading or deleting an unusual number of files.
  - Suspicious inbox rules: Creation of forwarding rules that might exfiltrate email.
  - Ransomware activity: Rapid encryption of files.
  - Compromised account activity: Unusual administrative actions.
Data Loss Prevention (DLP) and Information Protection:
- Integration with Microsoft Purview Information Protection: MDCA can read sensitivity labels applied by Purview.
- Content Inspection: It can scan files in SharePoint Online and OneDrive for sensitive data (credit card numbers, PII, custom keywords, etc.) even if they aren’t labeled.
- Policies: You can create policies to automatically:
  - Apply sensitivity labels.
  - Restrict sharing (e.g., remove external sharing links for files containing PII).
  - Quarantine files.
  - Notify admins or users.
OAuth App Governance (Third-Party App Control):
- Many users grant third-party apps access to their M365 data (e.g., “Login with Microsoft,” calendar sync apps). Some of these apps can be risky.
- MDCA discovers these OAuth apps, assesses their permission levels and community trust, and allows you to:
  - Approve/Ban apps: Sanction safe apps and ban risky ones organization-wide.
  - Revoke app access: For specific users or for an entire app.
  - Get alerted on new, risky apps being authorized.
Conditional Access App Control (Session Control):
- This is a powerful feature used in conjunction with Microsoft Entra Conditional Access.
- When a user session to M365 apps (like SharePoint, Exchange Online) is routed through MDCA (as a reverse proxy), you can apply real-time controls:
  - Block downloads/uploads: Prevent users on unmanaged devices from downloading sensitive files.
  - Monitor sessions: Log all activities without blocking.
  - Block copy/paste: Prevent data exfiltration.
  - Apply labels on download: Ensure files downloaded to unmanaged devices are labeled and protected.
  - Block specific activities: e.g., prevent printing from an unmanaged device.
Security Configuration Assessment:
- While more directly handled by Microsoft Defender for Cloud (for Azure resources) or Microsoft Secure Score, MDCA contributes by identifying misconfigurations or risky behaviors within the M365 app context that could indicate broader security posture weaknesses.

Configuration Examples to Provide Protection:

Here’s how you might configure MDCA (steps are generalized as the UI can evolve, but concepts remain):

Prerequisite: Connect Microsoft 365 to Defender for Cloud Apps.

Go to the Microsoft Defender XDR portal (security.microsoft.com) -> Settings -> Cloud Apps -> Connected apps.
Click “+Connect an app” and select Microsoft 365. Follow the wizard to authorize the connection.

Example 1: Alert on Suspicious Inbox Forwarding Rules

Goal: Detect potential email exfiltration by compromised accounts.
Configuration:
1. In the Microsoft Defender XDR portal, go to Cloud Apps -> Policies -> Policy management.
2. Click Create policy and select Activity policy.
3. Name: “Suspicious Inbox Forwarding Rule Creation”
4. Severity: High
5. Category: Threat Detection
6. Triggers (Activities matching all of the following):
  - Activity type: Create inbox rule (or similar, depending on the exact activity name for Exchange Online).
  - App: Microsoft Exchange Online
  - Rule details/parameters: (You might need to use advanced filters here) Look for rule actions like Forward to, Redirect to where the recipient domain is Not in your organization’s approved domains.
7. Actions:
  - Send alert: Email security admins, create an incident in Microsoft Sentinel.
  - (Optional Governance Action): Suspend user in Microsoft Entra ID (use with extreme caution and after thorough testing).
8. Save the policy.

Example 2: Block Download of “Highly Confidential” Files to Unmanaged Devices

Goal: Prevent sensitive data from being downloaded to personal or untrusted devices.
Prerequisites:
- Microsoft Entra ID P1/P2 for Conditional Access.
- Sensitivity labels (“Highly Confidential”) configured in Microsoft Purview Information Protection.
- Unmanaged devices identified (e.g., via Intune compliance or Hybrid Azure AD Join status).
Configuration:
- Step A: Create a Conditional Access Policy in Entra ID:
  1. Go to portal.azure.com -> Microsoft Entra ID -> Security -> Conditional Access.
  2. Create a new policy.
  3. Name: “MDCA Session Control for SharePoint Unmanaged Devices”
  4. Users: All users (or a pilot group).
  5. Target resources (Cloud apps or actions): Select SharePoint Online.
  6. Conditions:
    - Device platforms: Any device.
    - Locations: Any location.
    - Client apps: Browser, Mobile apps and desktop clients.
    - Filter for devices: Exclude devices Marked as compliant (or Hybrid Azure AD Joined).
  7. Access controls -> Session: Select Use Conditional Access App Control and choose Block downloads (Preview) or Use custom policy... if you want more granular MDCA control.
  8. Enable policy.
- Step B: (If “Use custom policy…” was chosen above) Create a Session Policy in MDCA:
  1. In the Microsoft Defender XDR portal, go to Cloud Apps -> Policies -> Policy management.
  2. Click Create policy and select Session policy.
  3. Name: “Block Highly Confidential Downloads to Unmanaged”
  4. Session control type: Control file download (with DLP).
  5. Triggers (Activities matching all of the following):
    - App: Microsoft SharePoint Online
    - Device Tag: Does not equal Intune Compliant (or your identifier for managed devices).
    - Sensitivity label (from Microsoft Purview Information Protection): Equals Highly Confidential.
    - Activity type: File download.
  6. Actions:
    - Select Block.
    - Customize block message for the user.
    - Send alert.
  7. Save the policy.

Example 3: Detect and Alert on Mass Downloads from OneDrive

Goal: Identify potential data theft or compromised accounts.
Configuration:
1. In the Microsoft Defender XDR portal, go to Cloud Apps -> Policies -> Policy management.
2. Many anomaly detection policies are built-in. Look for “Mass Download” or similar. If it exists, review its settings and enable it.
3. If creating new, select Create policy -> Anomaly detection policy.
4. Name: “Mass Download from OneDrive”
5. Scope: You can scope it to specific users/groups, or all users.
6. Conditions: MDCA’s UEBA engine will handle most of this. You’ll primarily enable the detection type for “Mass Download” and ensure it’s active for Microsoft OneDrive for Business.
7. Risk factors/thresholds: Adjust sensitivity if needed (e.g., number of downloads, timeframe).
8. Actions:
  - Send alert: Email security admins.
  - Create an alert in Microsoft Defender XDR.
9. Save the policy.

Example 4: Govern Risky OAuth Apps

Goal: Prevent risky third-party apps from accessing M365 data.
Configuration:
1. In the Microsoft Defender XDR portal, go to Cloud Apps -> OAuth apps.
2. Review the list of apps. Filter by permissions (e.g., Mail.ReadWrite.All, Files.ReadWrite.All), community trust level, or last used.
3. For a suspicious or overly permissive app:
  - Click on the app.
  - You can choose to Ban app. This prevents new users from authorizing it and revokes existing authorizations.
4. Create a Policy for new OAuth apps:
  - Go to Cloud Apps -> Policies -> Policy management.
  - Click Create policy and select OAuth app policy.
  - Name: “Alert on New High-Permission OAuth Apps”
  - Severity: Medium/High
  - Triggers:
    - Permission level: High
    - Community use: Rare or Uncommon
    - (Optional) Specific permissions: e.g., Mail.Read.All
  - Actions:
    - Send alert.
    - (Optional Governance Action): Revoke app.
  - Save the policy.

Key Considerations:

Licensing: MDCA is typically part of Microsoft 365 E5, EMS E5, or available as a standalone license.
Alert Fatigue: Start with a few high-priority policies and tune them. Don’t enable everything at once.
User Impact: Be mindful of policies that might block legitimate user activity. Communicate changes and have a process for exceptions if needed.
Integration: MDCA works best when integrated with other Microsoft Defender XDR components and Microsoft Sentinel for a holistic security view and response capability.

By leveraging these capabilities and configurations, Defender for Cloud Apps significantly strengthens the security posture of your Microsoft 365 environment, providing deep visibility, data protection, and threat detection beyond the native capabilities of M365 itself.