Tutorial

Preventing Downloads from Unmanaged Devices in O365

Defender for Cloud has publicly documented bypasses despite the countless articles suggesting it can be used to block downloads!

Eddie Zhang

6 min read
Preventing Downloads from Unmanaged Devices in O365

Defender for Cloud Apps is frequently recommended by IT practitioners to prevent users from downloading files on unmanaged devices as an intermediate step before requiring a compliant device for all data access.

At a high level, it works as a reverse proxy that sits in between the user and the actual service.

Configuring the following Conditional Access Policy will "force" this behaviour.

Browsing to outlook.office.com will redirect you straight to a *.mcas.ms domain.

Outlook through Defender for Cloud

Attempting to download emails will result in the following popup. Additionally the downloaded file does not actually contain the file contents.

Job done right? No...

The Bypass

You can actually bypass Defender for Cloud Apps altogether by setting some magic user-agent strings.

💡
A user agent string is a short line of text sent by your browser to a website's server that identifies the browser type, operating system, software version, and device hardware being used to request the page.

Notably, it's controlled by us the user.

By using a browser extension for Firefox, Malory instantly becomes a penetration testing expert and can set their browser's user agent string to one of the magic strings.

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) seems to work best.

Browsing to outlook.office.com no longer forces us to be redirected to the *.mcas.ms Defender for Cloud domain anymore.

Clicking download on an email will now successfully download the actual email.

This same behaviour can be seen in Sharepoint. Without the user-agent string we are forced to browse through Defender for Cloud.

With our magic user agent string set, we can browse directly to Sharepoint and download to our hearts content.

The Solution

As far as fixing Defender for Cloud itself, Microsoft does not consider this to be an issue.

Fortunately both Outlook and Sharepoint support enforcing blocking downloads directly.

Outlook

A command-line only configuration exists for Exchange that restricts behaviour when on a browser.

ReadOnly: Users can't download attachments to their local computer, and can't enable Offline Mode on non-compliant computers. They can still view attachments in the browser. This doesn't apply to in-line images.

ReadOnlyPlusAttachmentsBlocked: All restrictions from ReadOnly apply, but users can't view attachments in the browser. This doesn't apply to in-line images.
Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser
Connect-ExchangeOnline
Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -ConditionalAccessPolicy ReadOnlyPlusAttachmentsBlocked

Setting the policy

💡
Nothing should happen until you create a matching conditional access policy to make use of the configuration above.

Creating the matching conditional access policy:

  • Users: All users or a pilot group
  • Target resource: Office 365 Exchange Online
  • Conditions: Client apps: Browser or no conditions
  • Session: Use app enforced restrictions
💡
In my lab environment, there didn't seem to be any downside to have this policy alongside the existing Defender for Cloud policy. Do your own testing though.

After some Microsoft minutes and a fresh login, we can no longer download emails in Outlook.

Sharepoint/OneDrive

Sharepoint/Onedrive has a similar feature in the Sharepoint admin center.

When Access Control for Unmanaged Devices in SharePoint is set to Allow limited, web-only access, SharePoint files can't be downloaded but they can be previewed. 
⚠️
README! Clicking this button will immediately create two conditional access policies that are enabled, one policy will block access from apps on unmanaged devices.

You'll need to be quick to disable this CAP if you're not ready for it OR descope the policy. Make sure that your workstations are all Entra joined/marked as compliant if you intend to keep it.

After ticking the above box and clicking save, the following CAP policies are created.

Policy details:

  • Users: All users
  • Target resource: Office 365 SharePoint Online
  • Conditions: Client apps: Mobile apps and desktop clients
  • Grant: Require device to be marked as compliant and Require Microsoft Entra hybrid joined device
Target resource: Office 365 SharePoint Online

Policy details:

  • Users: All users
  • Target resource: Office 365 SharePoint Online
  • Conditions: Client apps: Browser
  • Session: Use app enforced restrictions
💡
You can opt to consolidate these policies with your existing ones if you'd like so long as they provide the same coverage of scenarios.

Also: It can take up to 24 hours for the policy in Sharepoint to take effect. It won't take effect for users who are already signed in from unmanaged devices. In our lab, it took ~18 hours for this to take effect.

Here's what the behaviour looks like after you've applied the policy. The download button simply just doesn't show anymore.

Making the request manually with Burp results in a 302 to an Access Denied page.

References

Set-OwaMailboxPolicy (ExchangePowerShell)
In on-premises Exchange, the default Outlook on the web mailbox policy is named Default. In Exchange Online, the default Outlook on the web mailbox policy is named OwaMailboxPolicy-Default. Changes to Outlook on the web mailbox policies might take up to 60 minutes to take effect. In on-premises Exchange, you can force an update by restarting IIS (Stop-Service WAS -Force and Start-Service W3SVC). You need to be assigned permissions before you can run this cmdlet. Although this article lists all parameters for the cmdlet, you might not have access to some parameters if they aren’t included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.
Microsoft Learnchrisda
Control access from unmanaged devices - SharePoint in Microsoft 365
Learn how administrators can block or limit access to SharePoint and OneDrive content on devices that aren’t compliant or joined to a domain.
Microsoft Learndenisebmsft