Blocking Personal Microsoft 365 & Gmail Uploads with Cloud App Controls

Blocking Personal Microsoft 365 & Gmail Uploads with Cloud App Controls

Cloud Application Control (CAC) is a phrase used for the use-case of controlling how someone can access SaaS apps, like Google, Microsoft 365, Slack, and more. To execute the control, you use a proxy and then create URL restrictions or header injection to perform the actual policy enforcement.

CAC Policies can help with a number of things:

  1. Segmenting a SaaS Application to *ONLY* work for the corporate tenant, and not for the personal one (Block Personal Google) 
  2. Preventing users from accessing unapproved SaaS applications (think WeTransfer)

Of course, this is all in service of complying with industry regulations, such as Data Loss Prevention control.

Back in the day, in order to get a basic CAC policy going, you’d have to purchase and integrate an expensive and complicated CASB… but not with us. It’s all included in our Fly Direct Secure Web Gateway.

Let’s see how it works with Microsoft 365:

  1. Select the Cloud App Control
  2. Type in the domains you want to allow access to (e.g. your company domains like,
  3. Decide if consumer login should be toggled ON or OFF
  4. Save!

Now, what’s happening under the hood once you configure this?

When consumer logins are not allowed this means that employees will not be able to access their personal Microsoft 365 or OneDrive accounts, and the following is sent in the CAC configuration to the endpoint.

This is how our agent receives the configuration *from* the cloud console for the particular user/device combination.

You can see that consumer logins are restricted by injecting the ‘’ header. If an employee tries to access their personal Microsoft 365 email or OneDrive, they will be hit with a block page.

REMEMBER: This is a Microsoft/Google/Slack etc. control point, so it’s *very* reliable.

Now let’s say you as an organization will allow consumer logins, you check the box that says “allow” and now your employees can access their personal Microsoft 365 email and OneDrive accounts. The policy configuration sent to the endpoint now looks like this:

You can see the only difference is that the ‘’ inject header restriction is removed, now allowing consumer logins.

Amazing, right? Now this is a very common setup, because organizations don’t want to be so restricting with their employees and completely cut off access to their personal email accounts. But, by doing so, they are exposing themselves to a potential data exfiltration risk of employees either deliberately or accidentally sending themselves confidential company files or data.

Well, what if I want to use personal cloud apps, but restrict uploads?

In other words, you’re looking for our new CAC Read Only feature! With this, organizations have the ability to allow personal access to the defined app, Microsoft 365 or Google, but block the ability to upload files and attachments to an employee’s personal accounts.

It's the best of both worlds. 

Sticking with the Microsoft 365 example, in order to make this happen there is a “stream processor” under the hood for Microsoft 365 that integrates with the above CAC configuration. This processor determines when and what to block. If the origin is from “*”, then the request to upload or attach the file is blocked. As always with dope, it’s just a one-check box to block or allow consumer uploads. 😀 

Google works similarly by identifying which requests are from a personal ID ( but to be honest, most solutions either don’t offer this, or make it very challenging to do this. With dope, there’s no extra charge, no extra work. Just hit the checkbox—it’ll instantly update your endpoints, and you’re done!

To start, this feature will be available for Microsoft 365 and Google, and very soon after, it will be rolled out to all cloud applications we support. Try it now. 

User Experience
User Experience
Technology Solutions
Technology Solutions
back to blog Home