Conditional Access App Control — Solving Microsoft 365

Conditional Access App Control is the integration between Microsoft Entra Conditional Access and Microsoft Defender for Cloud Apps that proxies session traffic through Defender after sign-in. Once routed, Defender enforces session-level controls — block download, prevent copy/paste, watermark documents, require step-up authentication on sensitive actions, monitor and log every action. Typical use case: allow access to Microsoft 365 from unmanaged BYOD devices but block downloading any files so corporate content can be viewed but not copied locally. Configured in Entra Conditional Access with a session control pointing to Defender for Cloud Apps.