O365 data loss prevention - AlexFilipin/ConditionalAccess GitHub Wiki
The data protection policies used in the policy sets can be confusing on first sight. The polices cover internal and external users and make sure there is no gap on the device platforms neither on the client apps.
Internal users
| Device platforms | Client app | Access control |
|---|---|---|
| iOS & Android | Browser | Trusted device or app enforced restrictions |
| iOS & Android | Modern authentication clients | App protection policy or approved client app |
| MacOS & Windows | Browser | Trusted device or app enforced restrictions |
| MacOS & Windows | Modern authentication clients | Trusted device |
| Unknown | Browser | Indirect app enforced restrictions (cannot be on trusted device) - could also be blocked via 302 |
| Unknown | Modern authentication clients | Direct block |
- App protection policies even on a trusted iOS/Android device, worth a DLP discussion. Data loss via browser on the trusted device? Rather no DLP controls at all on a trusted device?
- Data loss on trusted MacOS & Windows would be possible unless you take care of EndpointDLP
External users
| Device platforms | Client app | Access control |
|---|---|---|
| iOS & Android | Browser | Indirect App enforced restrictions (cannot be on trusted device) |
| iOS & Android | Modern authentication clients | Direct block |
| MacOS & Windows | Browser | Indirect App enforced restrictions (cannot be on trusted device) |
| MacOS & Windows | Modern authentication clients | Indirect block (cannot be on trusted device) |
| Unknown | Browser | Indirect App enforced restrictions (cannot be on trusted device) - could also be blocked via 302 |
| Unknown | Modern authentication clients | Direct block |