You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CloudAppSecurityDocs/caac-known-issues.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,7 +21,7 @@ In Microsoft Defender XDR, select **Settings** > **Conditional Access App Contro
21
21
22
22
## Maximum file size for session policies based on content inspection in Information Protection
23
23
24
-
When you apply a session policy to block file uploads or downloads based on content inspection in Microsoft Purview Information Protection, inspection is performed on only files that are smaller than 30 MB and have fewer than 1 million characters.
24
+
When you apply a session policy to block file uploads or downloads based on content inspection in Microsoft Purview Information Protection, inspection is performed on only files that are smaller than 30 MB and that have fewer than 1 million characters.
25
25
26
26
For example, you might define one of the following session policies:
27
27
@@ -43,7 +43,7 @@ The following table lists more examples of files that are and aren't scanned:
43
43
44
44
## Files encrypted with sensitivity labels
45
45
46
-
For tenants that enable co-authoring for files encrypted with sensitivity labels, a session policy to block file upload\download that relies on label filters or file content will operate based on the **Always apply the selected action even if data cannot be scanned** policy setting.
46
+
For tenants that enable coauthoring for files encrypted with sensitivity labels, a session policy to block file upload\download that relies on label filters or file content will operate based on the **Always apply the selected action even if data cannot be scanned** policy setting.
47
47
48
48
For example, assume that a session policy is configured to prevent downloading files that contain credit card numbers and is set to **Always apply the selected action even if data cannot be scanned**. Any file with an encrypted sensitivity label is blocked from downloading, regardless of its content.
This section lists limitations that apply only on sessions that the reverse proxy serves. Users of Microsoft Edge can benefit from in-browser protection instead of using the reverse proxy, so these limitations don't affect them.
57
57
58
-
### Built-in apps and browser plug-ins
58
+
### Built-in app and browser plug-in limitations
59
59
60
60
Conditional Access app control in Defender for Cloud Apps modifies underlying application code. It doesn't currently support built-in apps or browser extensions.
61
61
62
62
As an administrator, you might want to define default system behavior for when a policy can't be enforced. You can choose to either allow access or totally block it.
63
63
64
-
### Context loss
64
+
### Context loss limitations
65
65
66
66
In the following applications, we encountered scenarios where browsing to a link might result in loss of the full path of the link. Typically, the user lands on the home page of the app.
67
67
@@ -73,7 +73,7 @@ In the following applications, we encountered scenarios where browsing to a link
73
73
- ServiceNow
74
74
- Workday
75
75
76
-
### File upload
76
+
### File upload limitations
77
77
78
78
If you apply a session policy to block or monitor the upload of sensitive files, the user's attempts to upload files or folders by using a drag-and-drop operation blocks the complete list of files and folders in the following scenarios:
Copy file name to clipboardExpand all lines: CloudAppSecurityDocs/proxy-intro-aad.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -41,11 +41,11 @@ Access and session policies include the following types of activities:
41
41
|**Prevent data exfiltration**|Block the download, cut, copy, and print of sensitive documents on (for example) unmanaged devices. |
42
42
|**Require authentication context**|Reevaluate Microsoft Entra Conditional Access policies when a sensitive action occurs in the session, such as requiring multifactor authentication. |
43
43
|**Protect on download**|Instead of blocking the download of sensitive documents, require documents to be labeled and encrypted when you integrate with Microsoft Purview Information Protection. This action helps protect the document and restrict user access in a potentially risky session. |
44
-
|**Prevent upload of unlabeled files**|Ensure that unlabeled files with sensitive content are blocked from being uploaded until the user classifies the content. Before a sensitive file is uploaded, distributed, and used by others, it's important to make sure that the sensitive file has the label that your organization's policy defined. |
45
-
|**Block potential malware**|Help protect your environment from malware by blocking the upload of potentially malicious files. Any file that's uploaded or downloaded can be scanned against Microsoft Threat Intelligence and blocked instantaneously. |
44
+
|**Prevent upload of unlabeled files**|Ensure that the upload of unlabeled files that have sensitive content is blocked until the user classifies the content. Before a user uploads, distributes, or uses a sensitive file, the file must have the label that your organization's policy defined. |
45
+
|**Block potential malware**|Help protect your environment from malware by blocking the upload of potentially malicious files. Any file that a user tries to upload or download can be scanned against Microsoft Threat Intelligence and blocked instantaneously. |
46
46
|**Monitor user sessions for compliance**|Investigate and analyze user behavior to understand where, and under what conditions, session policies should be applied in the future. Risky users are monitored when they sign in to apps, and their actions are logged from within the session. |
47
47
|**Block access**|Granularly block access for specific apps and users, depending on several risk factors. For example, you can block them if they're using client certificates as a form of device management. |
48
-
|**Block custom activities**|Some apps have unique scenarios that carry risk. An example is sending messages with sensitive content in apps like Microsoft Teams or Slack. In these kinds of scenarios, scan messages for sensitive content and block them in real time. |
48
+
|**Block custom activities**|Some apps have unique scenarios that carry risk. An example is sending messages that have sensitive content in apps like Microsoft Teams or Slack. In these kinds of scenarios, scan messages for sensitive content and block them in real time. |
0 commit comments