Commonly used Microsoft Defender for Cloud Apps information protection policies
Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide information protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly.
Defender for Cloud Apps can monitor any file type based on more than 20 metadata filters, for example, access level, and file type. For more information, see File policies.
Detect and prevent external sharing of sensitive data
Detect when files with personally identifying information or other sensitive data are stored in a Cloud service and shared with users who are external to your organization that violates your company's security policy and creates a potential compliance breach.
Prerequisites
You must have at least one app connected using app connectors.
Steps
In the Microsoft Defender Portal, under Cloud Apps, go to Policies -> Policy management. Create a new File policy.
Set the filter Access Level equals Public (Internet) / Public / External.
Under Inspection method, select Data Classification Service (DCS), and under Select type select the type of sensitive information you want DCS to inspect.
Configure the Governance actions to be taken when an alert is triggered. For example, you can create a governance action that runs on detected file violations in Google Workspace in which you select the option to Remove external users and Remove public access.
Create the file policy.
Detect externally shared confidential data
Detect when files that are labeled Confidential and are stored in a cloud service are shared with external users, violating company policies.
Prerequisites
You must have at least one app connected using app connectors.
Enable Microsoft Purview Information Protection integration.
Steps
In the Microsoft Defender Portal, under Cloud Apps, go to Policies -> Policy management. Create a new File policy.
Set the filter Sensitivity label to Microsoft Purview Information Protection equals the Confidential label, or your company's equivalent.
Set the filter Access Level equals Public (Internet) / Public / External.
Optional: Set the Governance actions to be taken on files when a violation is detected. The governance actions available vary between services.
Create the file policy.
Detect and encrypt sensitive data at rest
Detect files containing personally identifying information and other sensitive data that is share in a cloud app and apply sensitivity labels to limit access only to employees in your company.
Prerequisites
You must have at least one app connected using app connectors.
Enable Microsoft Purview Information Protection integration.
Steps
In the Microsoft Defender Portal, under Cloud Apps, go to Policies -> Policy management. Create a new File policy.
Under Inspection method, select Data Classification Service (DCS) and under Select type select the type of sensitive information you want DCS to inspect.
Under Governance actions, check Apply sensitivity label and select the sensitivity label that your company uses to restrict access to company employees.
Create the file policy.
Note
The ability to apply a sensitivity label directly in Defender for Cloud Apps is currently only supported for Box, Google Workspace, SharePoint online and OneDrive for Business.
Detect data access from an unauthorized location
Detect when files are accessed from an unauthorized location, based on your organization's common locations, to identify a potential data leak or malicious access.
Prerequisites
You must have at least one app connected using app connectors.
Steps
In the Microsoft Defender Portal, under Cloud Apps, go to Policies -> Policy management. Create a new Activity policy.
Set the filter Activity type to the file and folder activities that interest you, such as View, Download, Access, and Modify.
Set the filter Location does not equal, and then enter the countries/regions from which your organization expects activity.
- Optional: You can use the opposite approach and set the filter to Location equals if your organization blocks access from specific countries/regions.
Optional: Create Governance actions to be applied to detected violation (availability varies between services), such as Suspend user.
Create the Activity policy.
Detect and protect confidential data store in a non-compliant SP site
Detect files that are labeled as confidential and are stored in a non-compliant SharePoint site.
Prerequisites
Sensitivity labels are configured and used inside the organization.
Steps
In the Microsoft Defender Portal, under Cloud Apps, go to Policies -> Policy management. Create a new File policy.
Set the filter Sensitivity label to Microsoft Purview Information Protection equals the Confidential label, or your company's equivalent.
Set the filter Parent folder does not equal, and then under Select a folder choose all the compliant folders in your organization.
Under Alerts select Create an alert for each matching file.
Optional: Set the Governance actions to be taken on files when a violation is detected. The governance actions available vary between services. For example, Set Box to Send policy-match digest to file owner and Put in admin quarantine.
Create the file policy.
Detect externally shared source code
Detect when files that contain content that might be source code are shared publicly or are shared with users outside of your organization.
Prerequisites
You must have at least one app connected using app connectors.
Steps
In the Microsoft Defender Portal, under Cloud Apps, go to Policies -> Policy management. Create a new File policy.
Select and apply the policy template Externally shared source code
Optional: Customize the list of file Extensions to match your organization's source code file extensions.
Optional: Set the Governance actions to be taken on files when a violation is detected. The governance actions available vary between services. For example, in Box, Send policy-match digest to file owner and Put in admin quarantine.
Select and apply the policy template.
Detect unauthorized access to group data
Detect when certain files that belong to a specific user group are being accessed excessively by a user who is not part of the group, which could be a potential insider threat.
Prerequisites
You must have at least one app connected using app connectors.
Steps
In the Microsoft Defender Portal, under Cloud Apps, go to Policies -> Policy management. Create a new Activity policy.
Under Act on, select Repeated activity and customize the Minimum repeated activities and set a Timeframe to comply with your organization's policy.
Set the filter Activity type to the file and folder activities that interest you, such as View, Download, Access, and Modify.
Set the filter User to From group equals and then select the relevant user groups.
Note
User groups can be imported manually from supported apps.
Set the filter Files and folders to Specific files or folders equals and then choose the files and folders that belong to the audited user group.
Set the Governance actions to be taken on files when a violation is detected. The governance actions available vary between services. For example, you can choose to Suspend user.
Create the file policy.
Detect publicly accessible S3 buckets
Detect and protect against potential data leaks from AWS S3 buckets.
Prerequisites
You must have an AWS instance connected using app connectors.
Steps
In the Microsoft Defender Portal, under Cloud Apps, go to Policies -> Policy management. Create a new File policy.
Select and apply the policy template Publicly accessible S3 buckets (AWS).
Set the Governance actions to be taken on files when a violation is detected. The governance actions available vary between services. For example, set AWS to Make private which would make the S3 buckets private.
Create the file policy.
Detect and protect GDPR related data across file storage apps
Detect files that are shared in cloud storage apps and contain personally identifying information and other sensitive data that are bound by a GDPR compliance policy. Then, automatically apply sensitivity labels to limit access only to authorized personnel.
Prerequisites
You must have at least one app connected using app connectors.
Microsoft Purview Information Protection integration is enabled and GDPR label is configured in Microsoft Purview
Steps
In the Microsoft Defender Portal, under Cloud Apps, go to Policies -> Policy management. Create a new File policy.
Under Inspection method, select Data Classification Service (DCS), and under Select type select one or more information types that comply with the GDPR compliance, for example: EU debit card number, EU drivers license number, EU national/regional identification number, EU passport number, EU SSN, SU tax identification number.
Set the Governance actions to be taken on files when a violation is detected, by selecting Apply sensitivity label for each supported app.
Create the file policy.
Note
Currently, Apply sensitivity label is only supported for Box, Google Workspace, SharePoint online and OneDrive for business.
Block downloads for external users in real time
Prevent company data from being exfiltrated by external users, by blocking file downloads in real time, using the Defender for Cloud Apps session controls.
Prerequisites
Make sure your app is a SAML-based app that uses Microsoft Entra ID for single sign-on, or is onboarded to Defender for Cloud Apps for Conditional Access app control.
For more information on supported apps, see Supported apps and clients.
Steps
In the Microsoft Defender Portal, under Cloud Apps, go to Policies -> Policy management. Create a new Session policy.
Under Session control type, select Control file download (with inspection).
Under Activity filters, select User and set it to From group equals External users.
Note
You don't need to set any app filters to enable this policy to apply to all apps.
You can use the File filter to customize the file type. This gives you more granular control over what type of files the session policy controls.
Under Actions, select Block. You can select Customize block message to set a custom message to be sent to your users so they understand the reason the content is blocked and how they can enable it by applying the right sensitivity label.
Select Create.
Enforce read-only mode for external users in real time
Prevent company data from being exfiltrated by external users, by blocking print and copy/paste activities in real time, using the Defender for Cloud Apps session controls.
Prerequisites
Make sure your app is a SAML-based app that uses Microsoft Entra ID for single sign-on, or is onboarded to Defender for Cloud Apps for Conditional Access app control.
For more information on supported apps, see Supported apps and clients.
Steps
In the Microsoft Defender Portal, under Cloud Apps, go to Policies -> Policy management. Create a new Session policy.
Under Session control type, select Block activities.
In the Activity source filter:
Select User and set From group to External users.
Select Activity type equals Print and Cut/copy item.
Note
You don't need to set any app filters to enable this policy to apply to all apps.
Optional: Under Inspection method, select the type of inspection to apply and set the necessary conditions for the DLP scan.
Under Actions, select Block. You can select Customize block message to set a custom message to be sent to your users so they understand the reason the content is blocked and how they can enable it by applying the right sensitivity label.
Select Create.
Block upload of unclassified documents in real time
Prevent users from uploading unprotected data to the cloud, by using the Defender for Cloud Apps session controls.
Prerequisites
- Make sure your app is a SAML-based app that uses Microsoft Entra ID for single sign-on, or is onboarded to Defender for Cloud Apps for Conditional Access app control.
For more information on supported apps, see Supported apps and clients.
- Sensitivity labels from Microsoft Purview Information Protection must be configured and used inside your organization.
Steps
In the Microsoft Defender Portal, under Cloud Apps, go to Policies -> Policy management. Create a new Session policy.
Under Session control type, select Control file upload (with inspection) or Control file download (with inspection).
Note
You don't need to set any filters to enable this policy to apply to all users and apps.
Select the file filter Sensitivity label does not equal and then select the labels your company uses to tag classified files.
Optional: Under Inspection method, select the type of inspection to apply and set the necessary conditions for the DLP scan.
Under Actions, select Block. You can select Customize block message to set a custom message to be sent to your users so they understand the reason the content is blocked and how they can enable it by applying the right sensitivity label.
Select Create.
Note
For the list of file types that Defender for Cloud Apps currently supports for sensitivity labels from Microsoft Purview Information Protection, see Microsoft Purview Information Protection integration prerequisites.
Next steps
If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.