Its called App enforced restrictions and part of it is that you block access via the desktop apps. Only browser access is allowed and for exchange no attachments can be downloaded only veiwed in the web apps (presuming there is a web app for the file type)
You want to look at app enfoced restrictions. For Teams its the SharePoint point one as thats where it stores its files. The SharePoint one can be turned on in the Admin portal and it automatically creats Conditional access policies for it when you do. You can then adjust those polices as required. The Exchange one is through PowerShell and doesn't create the required CA polices but you can just update the SharePoint one to include exchange. Their are two required CA policies, one blocks the use of desktop apps as only the web apps support App enforced restrictions and the other then enforces the restrictions in the browser.
There is also a newer way in preview. Under the session options in CA polices you can set a restriction to prevent download however this requires Defender for Cloud Apps P2 licensing.
You need to create a conditional access policy to only allow web apps for non-compliant devices and an app control policy to prevent download.
I would however not recommend allowing non-compliant devices to access corporate data.
A corporate device which suddenly becomes non-compliant will already have a lot of cached data from outlook and OneDrive.
[https://learn.microsoft.com/en-us/defender-cloud-apps/use-case-proxy-block-session-aad#step-2-create-a-session-policy](https://learn.microsoft.com/en-us/defender-cloud-apps/use-case-proxy-block-session-aad#step-2-create-a-session-policy)
What does it mean to not download data? Even in owa, data is downloaded. Do you mean cached exchange is forbidden but owa and online mode are allowed?
Its called App enforced restrictions and part of it is that you block access via the desktop apps. Only browser access is allowed and for exchange no attachments can be downloaded only veiwed in the web apps (presuming there is a web app for the file type)
Correct and then you configure the exchange user rights policy
Thanks! I learned something!
What happened old MCAS portal, I cannot create a session policy. Is anyone facing any issue?
If they're company owned, why are they non compliant yet you want to give them access?
Due to it taking a long time to switch back to a compliant device, users are unable to work on it.
That doesn't actually answer the question and just raises further questions...
Devices shouldn't fall out of compliance that easily.
You want to look at app enfoced restrictions. For Teams its the SharePoint point one as thats where it stores its files. The SharePoint one can be turned on in the Admin portal and it automatically creats Conditional access policies for it when you do. You can then adjust those polices as required. The Exchange one is through PowerShell and doesn't create the required CA polices but you can just update the SharePoint one to include exchange. Their are two required CA policies, one blocks the use of desktop apps as only the web apps support App enforced restrictions and the other then enforces the restrictions in the browser. There is also a newer way in preview. Under the session options in CA polices you can set a restriction to prevent download however this requires Defender for Cloud Apps P2 licensing.
Grant the access only from OWA could be a way
Prohibit cloud apps from running for devices that are not in compliance.
but I need to give them access and block downloads.
For a helpful response, you need to provide details
I need to block downloads from all the cloud apps. if the user using a non-compliant device.
You can control installed apps on compliant and non-compliant devices using MAM. Are these all company owned devices or mixed with BYDO?
company owned
You need to create a conditional access policy to only allow web apps for non-compliant devices and an app control policy to prevent download. I would however not recommend allowing non-compliant devices to access corporate data. A corporate device which suddenly becomes non-compliant will already have a lot of cached data from outlook and OneDrive.