Each of these have strengths, limitations, and ideal scenarios \u2013 you may find you need a combination!<\/p>\n\n\n\n
App Enforced Restrictions<\/h2>\n\n\n\n
App Enforced Restrictions are a lightweight yet effective way to control user actions when accessing Exchange Online, SharePoint Online, and OneDrive from unmanaged devices.<\/p>\n\n\n\n
Instead of blocking access entirely, this method allows you to permit access via a web browser only, then layer on session-based restrictions to limit what users can do within that session.<\/p>\n\n\n\n
App Enforced Restrictions are enforced through Entra Conditional Access policies. However, they also require administrative configurations within SharePoint Online and Exchange Online to achieve the desired functionality.<\/p>\n\n\n\n
Some examples of what you can enforce are:<\/p>\n\n\n\n
- \n
- Browser-only editing<\/strong>: Restrict access so that users can only view or edit documents within the browser \u2013 this blocks the use of Microsoft 365 desktop apps or any locally installed applications from opening or editing company data.<\/li>\n<\/ul>\n\n\n\n
- \n
- Download, sync, and print restrictions:<\/strong> Stop users from downloading files, syncing libraries, or printing content. Files, including email attachments, remain contained within the browser session, preventing file data exfiltration. Use of M365 desktop apps and the OneDrive client are blocked.<\/li>\n<\/ul>\n\n\n\n
- \n
- Read-only access:<\/strong> Prevent users from editing files in the browser entirely, making documents view-only during the session.<\/li>\n<\/ul>\n\n\n\n
- \n
- Hide Outlook attachments:<\/strong> Fully remove visibility of attachments in Outlook on the web to eliminate even the option to preview or open them.<\/li>\n<\/ul>\n\n\n\n
- \n
- Idle session timeout:<\/strong> Automatically sign users out after a defined period of inactivity in the browser.<\/li>\n<\/ul>\n\n\n\n
Considerations<\/h3>\n\n\n\n
- \n
- Viewing and editing documents within a browser session (Office Online) will still allow users to copy & paste (exfiltrate) content like text and pictures.<\/li>\n\n\n\n
- There is no dedicated auditing or deep session analytics, however:
- User actions are reflected indirectly in the Microsoft 365 Unified Audit Log, primarily through activities in SharePoint Online, OneDrive, or Exchange Online.<\/li><\/ul>\n
- \n
- User sessions that are subject to App Enforced Restrictions can be identified within the Entra Sign-in logs.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Outlook on the Web (OWA) mailbox policies will also apply to the new Outlook for Windows app e.g. hiding attachments.<\/li>\n\n\n\n
- Conditional Access capabilities are included with Entra ID P1, so no additional licences like Microsoft Intune or any E5 SKUs are required.<\/li>\n\n\n\n
- The controls are operating system agnostic; you just need to be using a supported browser.<\/li>\n<\/ul>\n\n\n\n
![\"Using](\"https:\/\/prs.me.uk\/wp-content\/uploads\/2025\/06\/OWA-Unmanaged-Ubuntu-scaled.png\")
<\/figure>\n\n\n\nHere we have an example of using Ubuntu to access OWA and App Enforced Restrictions are controlling what can be done with the email attachments.<\/p>\n\n\n\n
Mobile Application Management (MAM) on Windows<\/h2>\n\n\n\n
MAM on Windows brings Intune App Protection Policy (APP) capabilities, previously associated mostly with mobiles, into the desktop space.<\/p>\n\n\n\n
Currently only supported by Microsoft Edge, this feature enables you to enforce granular data protection policies at the application level without managing or enrolling the device which continues to be fully \u201cunmanaged\u201d.<\/p>\n\n\n\n
The magic happens when the user accesses a company resource in the browser \u2013 if they are already using Microsoft Edge, they are directed to create a new work profile and register the app, or if using another browser like Google Chrome they are prompted to switch over to Edge to get access.<\/p>\n\n\n\n
Once a work profile is created and signed in, the protection controls available to us are:<\/p>\n\n\n\n
- \n
- File Uploads: <\/strong>restrict file data ingress <\/strong>\u2013 allow or prevent users from attaching documents to company emails or uploading files to their OneDrive from the file system of the unmanaged device.<\/li>\n<\/ul>\n\n\n\n
- \n
- File Downloads: <\/strong>restrict file data egress \u2013 allow or prevent file downloads from company locations such as email, OneDrive or SharePoint to the file system of the unmanaged device.<\/li>\n<\/ul>\n\n\n\n
- \n
- Cut, Copy, and Paste:<\/strong> control data ingress\/egress \u2013 allow or block cut, copy and paste functionality within the web content area of the work profile. Unfortunately, this control isn’t very granular. It’s all or nothing – which means when you disable it, even basic in-document copy\/paste is blocked.<\/li>\n<\/ul>\n\n\n\n
- \n
- Printing:<\/strong> allow or block the ability to print company documents or emails. This will also control \u201cPrint to PDF\u201d functionality.<\/li>\n<\/ul>\n\n\n\n
- \n
- Health Checks: <\/strong>use signals from the Windows Security Centre on unmanaged devices to prevent access to company resources if the device is reporting as unhealthy.<\/li>\n<\/ul>\n\n\n\n
You can also deploy app configuration policies to customise the Edge work profile. This lets you set things like the home page, new tab behaviour, required extensions, and default search engine – creating a curated, seamless work experience.<\/p>\n\n\n\n
Considerations<\/h3>\n\n\n\n
- \n
- MAM for Edge is currently Windows-only. The same functionality isn’t supported on macOS or Linux.<\/li>\n\n\n\n
- The work profile setup screen can be very confusing. It’s easy to pick the wrong option, so clear user comms are essential – you\u2019ll also need to block personal device enrolment to avoid the consequences.<\/li>\n<\/ul>\n\n\n\n
![\"A](\"https:\/\/prs.me.uk\/wp-content\/uploads\/2025\/06\/AnnoyingMAMRegistration.png\")
<\/figure>\n\n\n\nYou need to answer \u201cYes, all apps\u201d for MAM to work, and also ensure the box is unchecked. It\u2019s a horrible screen and this is the latest Windows 11 24H2 incarnation – users and admins both hate it!<\/p>\n\n\n\n
- \n
- It even works with Microsoft Edge on Windows 11 Home edition!<\/li>\n\n\n\n
- We\u2019re not just limited to controlling access to M365 resources \u2013 any on-premises web apps published via Entra App Proxy can also require access via MAM controlled Edge.<\/li>\n\n\n\n
- Conditional Access capabilities are included with Entra ID P1, but we\u2019ll now also need a Microsoft Intune licence to apply the MAM policies (APP).<\/li>\n\n\n\n
- Only a single MAM controlled work profile is supported \u2013 adding additional ones will cause strange behaviour. <\/li>\n<\/ul>\n\n\n\n
Conditional Access App Control<\/h2>\n\n\n\n
Conditional Access App Control uses Microsoft Defender for Cloud Apps (still often referred to as MCAS) to provide real-time, proxy-based session control over access to Microsoft 365 and connected SaaS applications.<\/p>\n\n\n\n
When a user signs in from an unmanaged device, their session is routed through Microsoft\u2019s reverse proxy, allowing you to monitor activity, enforce policies and respond in real-time. This method offers the deepest level of control and visibility, making it particularly useful for high-risk scenarios or when interacting with sensitive data.<\/p>\n\n\n\n
Examples of the protection controls available to us are:<\/p>\n\n\n\n
- \n
- Similar functionality as described with App Enforced Restrictions, but with very granular control, improved targeting and extensive monitoring and auditing capabilities. Examples include:\n
- \n
- Allow access to Teams but don\u2019t allow the sending of any messages.<\/li>\n\n\n\n
- Control Cut, Copy, and Paste for specific apps <\/strong>– allow within Outlook but prevent within Teams.<\/li>\n\n\n\n
- Allow file downloads but automatically block any bulk file downloads.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Real-time Alerts:<\/strong> get notified about suspicious activities.<\/li>\n<\/ul>\n\n\n\n
Additionally, with Microsoft Purview integration we can enhance things further:<\/p>\n\n\n\n
- \n
- Content Aware Access Policies:<\/strong> use Purview sensitivity labels to determine file access, for example block documents labelled \u201chighly confidential\u201d from being downloaded whilst allowing others.<\/li>\n<\/ul>\n\n\n\n
- \n
- Inline DLP:<\/strong> inspect file contents during uploads or downloads and enforce Microsoft Purview policies in real time – such as blocking the upload of files containing personally identifiable information (PII).<\/li>\n<\/ul>\n\n\n\n
- \n
- Watermarking:<\/strong> apply dynamic watermarks that overlay a user\u2019s email address and the current date\/time on open documents to discourage screenshots or photographs and help make tracing easier in the case of data leakage.<\/li>\n<\/ul>\n\n\n\n
Considerations<\/h3>\n\n\n\n
- \n
- May negatively impact user experience and or performance due to the in-session proxy functionality, but not for much longer – check out the new \u201cin-browser protection\u201d feature below!<\/li>\n\n\n\n
- This is enterprise class functionality which requires M365 E5 licencing to enable all product features, or Office 365 E5 at a minimum for a smaller subset of features. Please see here<\/a> for a full feature comparison.<\/li>\n\n\n\n
- Lots of power and flexibility could add tiers of complexity if not well managed and maintained.<\/li>\n<\/ul>\n\n\n\n
Preview Feature \u2013 In-Browser Protection<\/h3>\n\n\n\n
- Lots of power and flexibility could add tiers of complexity if not well managed and maintained.<\/li>\n<\/ul>\n\n\n\n
- Watermarking:<\/strong> apply dynamic watermarks that overlay a user\u2019s email address and the current date\/time on open documents to discourage screenshots or photographs and help make tracing easier in the case of data leakage.<\/li>\n<\/ul>\n\n\n\n
- Inline DLP:<\/strong> inspect file contents during uploads or downloads and enforce Microsoft Purview policies in real time – such as blocking the upload of files containing personally identifiable information (PII).<\/li>\n<\/ul>\n\n\n\n
- Similar functionality as described with App Enforced Restrictions, but with very granular control, improved targeting and extensive monitoring and auditing capabilities. Examples include:\n
- Health Checks: <\/strong>use signals from the Windows Security Centre on unmanaged devices to prevent access to company resources if the device is reporting as unhealthy.<\/li>\n<\/ul>\n\n\n\n
- Printing:<\/strong> allow or block the ability to print company documents or emails. This will also control \u201cPrint to PDF\u201d functionality.<\/li>\n<\/ul>\n\n\n\n
- Cut, Copy, and Paste:<\/strong> control data ingress\/egress \u2013 allow or block cut, copy and paste functionality within the web content area of the work profile. Unfortunately, this control isn’t very granular. It’s all or nothing – which means when you disable it, even basic in-document copy\/paste is blocked.<\/li>\n<\/ul>\n\n\n\n
- File Downloads: <\/strong>restrict file data egress \u2013 allow or prevent file downloads from company locations such as email, OneDrive or SharePoint to the file system of the unmanaged device.<\/li>\n<\/ul>\n\n\n\n
- File Uploads: <\/strong>restrict file data ingress <\/strong>\u2013 allow or prevent users from attaching documents to company emails or uploading files to their OneDrive from the file system of the unmanaged device.<\/li>\n<\/ul>\n\n\n\n
- User actions are reflected indirectly in the Microsoft 365 Unified Audit Log, primarily through activities in SharePoint Online, OneDrive, or Exchange Online.<\/li><\/ul>\n
- Idle session timeout:<\/strong> Automatically sign users out after a defined period of inactivity in the browser.<\/li>\n<\/ul>\n\n\n\n
- Hide Outlook attachments:<\/strong> Fully remove visibility of attachments in Outlook on the web to eliminate even the option to preview or open them.<\/li>\n<\/ul>\n\n\n\n
- Read-only access:<\/strong> Prevent users from editing files in the browser entirely, making documents view-only during the session.<\/li>\n<\/ul>\n\n\n\n
- Download, sync, and print restrictions:<\/strong> Stop users from downloading files, syncing libraries, or printing content. Files, including email attachments, remain contained within the browser session, preventing file data exfiltration. Use of M365 desktop apps and the OneDrive client are blocked.<\/li>\n<\/ul>\n\n\n\n