Imagine a worker is using a company-approved cloud app, but tries to download secret company files. Which specific Microsoft Defender for Cloud Apps rule can stop just that download right when it happens, without kicking the worker out of the app entirely?

The specific Microsoft Defender for Cloud Apps rule that can stop a download of secret company files right when it happens, without kicking the worker out of the app entirely, is a Session Policy. A Session Policy provides real-time, inline control over user activities within sanctioned cloud applications. This capability is powered by a reverse proxy architecture. When a user accesses a company-approved cloud app, their session is routed through the Defender for Cloud Apps proxy. This allows Defender for Cloud Apps to monitor and intervene with specific actions during that session, such as downloads, uploads, or copy-paste operations, without disconnecting the user from the application. To implement this, an administrator would create a Session Policy with the following configuration: The policy's Activity Type would be set to "Download" to specifically target file download attempts. To identify what constitutes "secret company files," the policy leverages integration with Microsoft Purview Data Loss Prevention (DLP). DLP policies are used to define and detect sensitive information within files, typically through sensitivity labels applied to the files (e.g., "Highly Confidential"), or by inspecting file content for specific sensitive information types (e.g., credit card numbers, proprietary project names). Therefore, the Session Policy's File Filters would include criteria like "Sensitivity label equals [specific confidential label]" or "Content inspection result equals [DLP policy violation]". The policy's Action would be configured as "Block." When a worker attempts to download a file that matches these criteria, Defender for Cloud Apps intercepts the request in real-time via its proxy. It then blocks the download, preventing the sensitive file from being transferred to the user's device, while the worker remains active within the cloud application and can continue performing other authorized tasks.