Not every device in your organization carries the same level of risk. For example:

• Finance department laptops may handle payroll and banking information.

• Executive devices often contain highly sensitive company data.

• Contractor devices may require tighter restrictions than employee-owned systems.

• Shared workstations may need limited access to cloud applications.

Applying the same application policy to every device can create unnecessary restrictions for users who legitimately need access.

Microsoft Defender for Cloud Apps, integrated with Microsoft Defender for Endpoint, allows administrators to block apps on specific devices by using device groups and scoped profiles instead of applying organization-wide restrictions.

Step 1: Identify Applications That Introduce Risk

Start by reviewing cloud application usage within your environment.

Common examples include:

• Personal Dropbox accounts

• Google Drive

• WeTransfer

• Consumer file-sharing services

• Unsanctioned AI tools

• Unapproved SaaS applications

Before blocking an application, determine whether it presents a genuine business risk or if certain teams require access to perform their work.

Step 2: Create Device Groups

In Microsoft Defender for Endpoint, organize devices according to business needs.

Examples include:

• Finance Devices

• Executive Devices

• Contractor Devices

• Shared Workstations

• Corporate-Owned Laptops

Device groups allow you to apply different security controls based on risk and business requirements.

Step 3: Create a Scoped Profile

To apply app controls to selected devices, create a Scoped Profile in Microsoft Defender for Cloud Apps (https://security.microsoft.com/cloudapps/settings?tabid=discovery-tags&innertab=scopedProfiles).

A scoped profile lets you define which Microsoft Defender for Endpoint device groups should be included or excluded from governance actions.

For example, you may choose to exclude:

• Marketing Devices

• Creative Team Devices

while applying restrictions to the rest of the organization.

Using scoped profiles provides more flexibility than creating separate app-blocking policies for every department.

Step 4: Tag the Application as Unsanctioned

Once the scoped profile has been created:

1. In the Microsoft Defender portal, go to Cloud Apps > Cloud Discovery > Discovered Apps.

2. Select the application you want to restrict.

3. Choose Tag as Unsanctioned.

4. In the Tag as Unsanctioned dialog, select Select a profile to include or exclude groups from being blocked.

5. Choose the scoped profile you created.

6. Save the configuration.

Microsoft Defender for Endpoint will then enforce the block according to the selected scoped profile.

This allows organizations to restrict access to risky applications while maintaining access for approved device groups.

Step 5: Monitor and Refine Policies

Cloud application usage changes constantly.

Regularly review:

• Newly discovered applications

• Security alerts

• App risk scores

• Device group assignments

• Business requirements

Fine-tuning policies helps ensure security controls remain effective without unnecessarily impacting productivity.

Real-World Example: Restricting Personal Cloud Storage

A growing SMB wanted to reduce the risk of sensitive financial information being uploaded to personal cloud storage services.

Instead of blocking Dropbox across the entire company, the IT team created a scoped profile that excluded Marketing Devices while applying restrictions to all other managed devices.

As a result:

• Sensitive departments could no longer access personal Dropbox accounts from managed devices.

• Marketing teams retained access where there was a legitimate business need.

• The organization reduced data leakage risks without introducing company-wide restrictions.

This approach helped the company improve security while maintaining productivity for teams that relied on cloud-based collaboration tools.

As a Microsoft-focused Managed Security Services Provider (MSSP), we help small and midsize businesses design, implement, and manage Microsoft 365 security solutions. Whether you're looking to reduce shadow IT, protect sensitive data, or configure app governance policies tailored to your business, our security experts can help you get the most out of Microsoft Defender.

Want to strengthen your Microsoft 365 security? Contact us for a consultation and discover how we can help secure your cloud environment while keeping your teams productive.