prevent opening protected files with AIP labels at home

Shevchenko, Vladimir 41 Reputation points

I have a confidential label that applies encryption to a file. Permanent employees of the company have access to these tags as authors.
I found a weak spot. The user can send the file to his home, on his personal home computer, he can log in to the corporate Microsoft Office account at his own PC and then open the encrypted confidential document. And at home, they can do whatever they want with the document.

How to restrict users so they can't use a corporate Microsoft account on their personal devices.
In my opinion, ideally, if they could log in to MS office and Microsoft Information Protection under a corporate account only from domain computers. For example, Microsoft authenticator doesn't run in office365 and in Microsoft Information Protection Viewer from non-domain computers

However, I need to keep my employees able to run the remote desktop login application (red icon) on their work computer from their home computer. Without intune.

Azure Information Protection
Azure Information Protection
An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.
515 questions
Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
5,455 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,227 questions
{count} votes

1 answer

Sort by: Most helpful
  1. JamesTran-MSFT 36,361 Reputation points Microsoft Employee

    @Shevchenko, Vladimir
    Thank you for your post!

    Adding onto what @Marilee Turscak-MSFT mentioned and to hopefully point you in the right direction. You can leverage AIP-based Conditional Access policies to prevent permanent employees from opening AIP protected files from their home computers. Because multiple Conditional Access policies may apply to an individual user at any time, all policies that apply must be satisfied. For example, if one policy requires multi-factor authentication (MFA) and another requires a compliant device, you must complete MFA, and use a compliant device.

    With this in mind, you can create two conditional access policies, the first policy will leverage the Filter for Devices feature which will create a rule to block any device(s) that isn't compliant with one of the supported operators and device properties. The second Conditional Access policy will filter based off the specific Named Location for example, your Corp IP address. Both of these policies together, will only allow access to compliant devices that are connect to the Corp VPN/Network.


    Additional Links:
    Create a Conditional Access policy
    Building a Conditional Access policy
    Conditional Access: Block access by location
    Conditional Access: Require compliant or hybrid Azure AD joined device

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.


    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments No comments