I got many questions from customer that they want to block upload of confidential data in Microsoft 365. Is it possible to block that? The answer is yes if you have access to both (CA) Conditional Access and (MCAS) Microsoft Cloud App Security. In CA you need to enabled the “Use Conditional Access App Control” and use a custom policy built in MCAS. This blocking does not work in Teams application. Only if you using the web browser.

Step one is to create a Conditional Access rule. Scope the user and select which application we will apply this function on. In the post I cover the Office 365 preview application that include Mailbox, OneDrive, Teams and SharePoint.

Under Access Control configure a Session. Use Conditional Access App Control to configure custom policy. There you can also configure user to only monitor access to Office 365 applications or block the download within this applications. When this step is done. Build the policy in MCAS.

In MCAS, open policies and create a new session policy. In this policy you can configure the trigger to block content in Microsoft 365.

Name the policy “Block upload of confidential data”. Set the category to compliance. Remove all filter under Activity source and add your own filter. Classification label equals Confidential (Label name). Select Block and enabled “Customize block message”.

It will take effect directly and you can see in the link that MCAS monitor your session. https://alden365-my.sharepoint.com.eu.cas.ms/personal/
An other thing to take decision about is to inform the users about this monitoring, Default is enabled. Users will be prompted every sign-in if they don´t remember the setting for an week.