How to block download of Office 365 files on an unknown device
From 20 million to 44 million daily Microsoft Teams users by May 2020.
In 61% of all meetings in the Netherlands used with video.
There has been growth from 560 million to 2.7 billion minutes per day with Microsoft Teams call . source
But we use Microsoft Teams insecurely... On a personal computer, or our mobile devices....
We all use Microsoft Teams
Collaboration can be done very well with Microsoft Teams. True collaboration, secure file collaboration remains a huge challenge as we work more from home, or on our own computers.
Since the covid-19 crisis, several organizations have adapted to move away from corporate-devices to private devices. In itself, a good move for people who prefer to work on their own devices.
Unfortunately, we have come to a point where organizational documents also end up on every device. And as a company, you'd rather not have that. In this blog, I provide a practical guide to adjusting this behavior.
How to safely handle files in Microsoft Teams?
How can you securely retain documents on organizational devices?
- What you see in this screenshot is 2x a Microsoft Edge browser.
- On the left, you see a browser "connected" to a Windows 10 device. (condition)
- On the right, a "browser" we don't trust. A device foreign to the organization.
Short demo video of conditional access for documents in Teams
- in the clink side I work with your trusted web-browser in a word document. I may download this because the device is known. (on condition, condition that - conditional access)
- If the device is not known, as in the right view, then I cannot download it - but I can edit online .
Personalized display of security alert in Teams
It is best to communicate clearly so that users understand what is going wrong when you wish to activate new policies.
Users work on a device that is not protected by the organization. They may work on documents, they may collaborate. But based on the proposed framework.
Don't download. May be an agreement you make to never be able to leak documents on devices foreign to the organization.
How is working with documents with this secure setup?
Users logging into a system not managed by the organization get this view when they log into Microsoft Teams via the Web browser.
It is still possible to work online , edit the document or share it within the organization. But downloading that is no longer possible.
For IT Administrators, there are insights
Microsoft is good at bringing together capabilities of the multiple platforms.
In the Microsoft Cloud App portal Security you can see the attempts to download the document. You can later link automatic actions to this if desired.
License requirements for this blocking document download in Microsoft Teams
To use Conditional Access you need at least a Azure AD Premium P1 license required.
Cloud App Security you need to gather the insights as pictured above.
Some licenses include Cloud App Security Discovery.
With Microsoft 365 E3, Microsoft 365 E5 you're always right. With fewer licenses, it's also possible.
In Android, install the Intune Company Portal
If you wish to open a document in Android, your Android device will prompt you to install the Intune Company Portal.
Gear and roll
The security roadmap for document security in 5 steps
Multi-Factor Authentication - It is illogical for users to have a secure device without using MFA. If a hacker or a colleague possesses the password he can also log in to Office 365.
Conditional Access or conditional access - based on conditions, you can automatically make decisions and add additional security layers as security risk increases.
Self-service password reset - to help users so they can reset their passwords themselves. But also to make sure you can use the extra security features for Teams. Users can help themselves thanks to this feature. Users can log in passwordless (without entering password) with their smartphone and they are happy with that.
EndPoint Security - protect your mobile devices and your Windows 11 devices. It is quite easy to turn on PIN + data control (MAM) on BYOD. This does not affect the person and does not require management of the device. It does require management of the organizational application. Such as Teams, OneDrive, SharePoint,..
Information protection - Of course, you may have noticed that you can still forward documents to colleagues or external contacts. If you want to solve that, it is necessary to go for even more extra security. You can use information protection for this purpose.