At a glance

To prevent downloads from (unmanaged) devices you can use cloud app security or app enforced restrictions.
In both cases this can be done via conditional access polices:

Cloud App Security

App enforced restrictions

The two options

1. Conditional Access with Cloud App Security

Description:
Cloud App Security controls and restrict the usage of all cloud application in your company – it acts like a Cloud Access Security Broker (CASB)
When a user access a file or tries to download it, this action will be observed by CASB.

Use case:

• Secure remote work (e.g. home office)
• prevent data loss
• force user to work with company/compliant devices
• enforce compliance policies

License requirements:

• Conditional Access (min. Azure AD P1)
• Cloud App Security (min. EMS E3)

How it works:

1. User tries to access/interact with a file 
2. Conditional Access checks if there are App control policies defined
3. User can access the app, the impact of the policy is for now not visible to the user (red line in image)
4. User tries to download content from e.g. ShrePoint online
5. Cloud App Security will block this interaction and trigger the download of a dummy file
6. The dummy file says “download was blocked” to the user

2. App enforced restrictions

Description:
With App enforced restrictions you set up restrictions in the specific M365 apps e.g. Exchange online, SharePoint online, Teams.
Conditional Access will check if these restrictions should be applied.
Note: In addition you also need to set up the restrictions specifically in the target app. 

License requirements:

• Conditional Access (min. Azure AD P1)

How it works:

1. User tries to access e.g. SharePoint online
2. Conditional Access checks if there are App enforced restrictions defined
3. If yes, the application will be enforced to apply these
4. When the user access SharePoint online, he will see a message that download of content is blocked

Error: