Remote and hybrid work are here to stay—but so is the risk of sensitive files “walking out the door.” One click from a personal laptop or borrowed tablet can move corporate data far beyond your control. Fortunately, Microsoft 365 equips security teams with an elegant, productivity-friendly fix: session controls in Microsoft Defender for Cloud Apps (MDCA) combined with Conditional Access. Follow the three steps below to seal the gap in under 30 minutes.

Prerequisites

Tip: Run steps 1-3 in a staging or pilot group first. Once you confirm the experience, enforce for everyone.

Step 1: Build a Conditional Access policy

Conditional Access identifies traffic from unmanaged browsers and hands the session to MDCA for inspection.

1. In Microsoft Entra ID Conditional Access, select New policy.

2. Enter a name for your policy, and then select the link under Session to add controls to your policy.

3. In the Session area, select Use Conditional Access App Control.

4. In the Users area, select to include all users, or specific users and groups only.

5. In the Target resources find and select Office 365.

6. In the Conditions, under Client apps area select Browser.

7. Save the policy by toggling Report-only to On, and then selecting Create.

Step 2: Create a Session Policy in MDCA to Block Downloads to Unmanaged Devices

Session control operates at the browser layer: users can preview, edit, and co-author online, but download actions are blocked.

To create your session policy

1. In the Microsoft Defender Portal, under Cloud Apps, select Policies > Policy management.

2. In the Policies page, select Create policy > Session policy.

3. In the Create session policy page, give your policy a name and description.

4. Assign a Policy severity and Category.

5. For the Session control type, select Control file download (with inspection). This setting gives you the ability to monitor everything your users do within a Microsoft 365 session and gives you control to block and protect downloads in real time.

6. Under Actions, select block. Customize the blocking message that your users get when they're unable to download files.

7. Configure the alerts you want to receive when the policy is matched, such as a limit so that you don't receive too many alerts, and whether you want to get the alerts as an email.

8. Select Create.

Step 3: Test, Then Enforce for Everyone

1. Open a private/incognito browser on a personal device.

2. Sign in as the test user to any Microsoft 365 service.

3. Observe the banner that the session is being monitored.

4. Attempt to download a document—MDCA blocks it and shows your custom message.

Conclusion

By combining Conditional Access and MDCA session controls, you block downloads to unmanaged devices without frustrating legitimate users. They can still view and collaborate on documents in the browser, while your sensitive data stays inside the Microsoft 365 tenant—exactly where auditors and cyber-insurers want it.

How PlexHosted Can Help

As a MSSP, PlexHosted can:

• Design and deploy your Conditional Access framework in line with Zero-Trust best practices.

• Fine-tune MDCA policies so you reduce false positives and keep alert volume manageable.

• Integrate Intune Mobile Application Management (MAM) to protect files on iOS and Android.

• Provide ongoing Secure Score reviews and executive reports to demonstrate ROI.

Ready to lock down your data? Book a free 30-minute consultation, and we’ll map out the quickest wins for your environment—no obligation, no jargon.