Defender for Cloud Apps is frequently recommended by IT practitioners to prevent users from downloading files on unmanaged devices as an intermediate step before requiring a compliant device for all data access. At a high level, it works as a reverse proxy that sits in between the user and the actual service. Configuring the following Conditional Access Policy will "force" this behaviour. Browsing to outlook.office.com will redirect you straight to a *.mcas.ms domain. Outlook through Defender for Cloud Attempting to download emails will result in the following popup. Additionally the downloaded file does not actually contain the file contents. Job done right? No... The Bypass You can actually bypass Defender for Cloud Apps altogether by setting some magic user-agent strings . 💡 A user agent string is a short line of text sent by your browser to a website's server that identifies the browser type, operating system, software version, and device hardware being used to request the page. Notably, it's controlled by us the user. By using a browser extension for Firefox, Malory instantly becomes a penetration testing expert and can set their browser's user agent string to one of the magic strings. Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) seems to work best. Browsing to outlook.office.com no longer forces us to be redirected to the *.mcas.ms Defender for Cloud domain anymore. Clicking download on an email will now successfully download the actual email. This same behaviour can be seen in Sharepoint. Without the user-agent string we are forced to browse through Defender for Cloud. With our magic user agent string set, we can browse directly to Sharepoint and download to our hearts content. The Solution As far as fixing Defender for Cloud itself, Microsoft does not consider this to be an issue. Fortunately both Outlook and Sharepoint support enforcing blocking downloads directly. Outlook A command-line only configuration exists for Exchange that restricts behaviour when on a browser. ReadOnly: Users can't download attachments to their local computer, and can't enable Offline Mode on non-compliant computers. They can still view attachments in the browser. This doesn't apply to in-line images. ReadOnlyPlusAttachmentsBlocked: All restrictions from ReadOnly apply, but users can't view attachments in the browser. This doesn't apply to in-line images. Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser Connect-ExchangeOnline Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -ConditionalAccessPolicy ReadOnlyPlusAttachmentsBlocked Setting the policy 💡 Nothing should happen until you create a matching conditional access policy to make use of the configuration above. Creating the matching conditional access policy: Users: All users or a pilot group Target resource: Office 365 Exchange Online Conditions: Client apps: Browser or no conditions Session: Use app enforced restrictions 💡 In my lab environment, there didn't seem to be any downside to have this policy alongside the existing Defender for Cloud policy. Do your own testing though. After some Microsoft minutes and a fresh login, we can no longer download emails in Outlook. Sharepoint/OneDrive Sharepoint/Onedrive has a similar feature in the Sharepoint admin center. When Access Control for Unmanaged Devices in SharePoint is set to Allow limited, web-only access , SharePoint files can't be downloaded but they can be previewed. ⚠️ README! Clicking this button will immediately create two conditional access policies that are enabled, one policy will block access from apps on unmanaged devices. You'll need to be quick to disable this CAP if you're not ready for it OR descope the policy. Make sure that your workstations are all Entra joined/marked as compliant if you intend to keep it. After ticking the above box and clicking save, the following CAP policies are created. Policy details: Users: All users Target resource: Office 365 SharePoint Online Conditions: Client apps: Mobile apps and desktop clients Grant: Require device to be marked as compliant and Require Microsoft Entra hybrid joined device Target resource: Office 365 SharePoint Online Policy details: Users: All users Target resource: Office 365 SharePoint Online Conditions: Client apps: Browser Session: Use app enforced restrictions 💡 You can opt to consolidate these policies with your existing ones if you'd like so long as they provide the same coverage of scenarios. Also: It can take up to 24 hours for the policy in Sharepoint to take effect. It won't take effect for users who are already signed in from unmanaged devices. In our lab, it took ~18 hours for this to take effect. Here's what the behaviour looks like after you've applied the policy. The download button simply just doesn't show anymore. Making the request manually with Burp results in a 302 to an Access Denied page. References Set-OwaMailboxPolicy (ExchangePowerShell) In on-premises Exchange, the default Outlook on the web mailbox policy is named Default. In Exchange Online, the default Outlook on the web mailbox policy is named OwaMailboxPolicy-Default. Changes to Outlook on the web mailbox policies might take up to 60 minutes to take effect. In on-premises Exchange, you can force an update by restarting IIS (Stop-Service WAS -Force and Start-Service W3SVC). You need to be assigned permissions before you can run this cmdlet. Although this article lists all parameters for the cmdlet, you might not have access to some parameters if they aren’t included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet. Microsoft Learn chrisda Control access from unmanaged devices - SharePoint in Microsoft 365 Learn how administrators can block or limit access to SharePoint and OneDrive content on devices that aren’t compliant or joined to a domain. Microsoft Learn denisebmsft