Azure

Securing Your Organization from Unwanted AI Tools with Microsoft 365 Defender + Intune

- February 7, 2025 - rsoligan

Written by Rob Soligan with contributions from John Rayborn, Matt Olsen, Kevin Friedemann

Summary

As artificial intelligence tools like DeepSeek AI become more prevalent, organizations must take proactive measures to control access and mitigate security risks. This guide walks you through the process of blocking applications like DeepSeek AI using Microsoft’s XDR security suite + Intune, including Defender for Office 365 (MDO), Defender for Endpoint (MDE), Defender for Cloud Apps (MDCA), and Microsoft Intune.

By following these steps, you can enforce security policies, restrict unauthorized AI tools, and prevent potential data leakage across email, endpoints, cloud applications, and managed devices. This guide is designed for IT security teams, SOC analysts, and cybersecurity professionals looking to implement a defense-in-depth strategy to protect their organizations from unwanted AI-powered applications but can be applied to similar threats to your organization.

Make sure you review the provided documentation to fully understand any changes before implementing them. If you are uncertain about their impact, reach out to your local support staff or Microsoft team for guidance.

Authors Note: For guidance on how to harden your Azure tenant, I recommend you review the Cyberlorians post cover best practices for securing your tenants Generative AI landscape and reviewing his github https://github.com/Cyberlorians/.

Instructions

  1. Microsoft Defender for Office (MDO)
    • Block domains from communicating via email to your tenant
    • [Learn more]
  2. Microsoft Defender for Endpoint (MDE)
  3. Microsoft Defender for Cloud Apps (MDCA)
    • Unsanction and block access to the Cloud App
    • [Learn more].
  4. Microsoft Intune
    • Create a Windows Firewall Policy to block communications to the domain
    • Create an explicit blocklist preventing phones with specific app from accessing your resources
    • [Learn more] .

MDO – Learn Doc

Commercial Link- https://security.microsoft.com/tenantAllowBlockList

GCC Link- https://security.microsoft.us/tenantAllowBlockList

The Tenant Allow/Block List in the Microsoft Defender portal gives you a way to manually override the Defender for Office 365 or EOP filtering verdicts. Block entries for Domains and email addresses to prevent users in the organization from sending email to blocked domains and addresses.

Defender Portal -> Email & collaboration -> Policies & rules -> Threat policies -> Tenant Allow/Block List

MDE- Learn Doc

Commercial Link- https://security.microsoft.com/securitysettings/endpoints/custom_ti_indicators

GCC Link- https://security.microsoft.us/securitysettings/endpoints/custom_ti_indicators

By defining indicators for IPs, URLs, or domains, you can block them based on your own threat intelligence. Additionally, you can alert users if they attempt to access a potentially risky application.

Defender Portal -> System -> Settings -> Endpoints -> Indicators -> URLs/Domains

Determine action you would like to take

Determine if an alert should be generated and its severity

Select the scope of your deployment


MDCA – Learn Doc

Commercial Link- https://sip.security.microsoft.com/cloudapps/app-catalog?text=contains(o%3A(searchType%3Ai%3A1%2Cadv%3Ab%3Afalse)%2Cdeepseek)

GCC Link- https://security.microsoft.us/cloudapps/app-catalog?text=contains(o%3A(searchType%3Ai%3A1%2Cadv%3Ab%3Afalse)%2Cdeepseek)

To designate a risky app as unsanctioned, click the three dots at the end of the row and select Unsanctioned. This does not block the app but allows for easier tracking through cloud discovery filters. You can then notify users about the unsanctioned app, recommend a safer alternative, or generate a block script via Defender for Cloud Apps APIs to restrict access to all unsanctioned apps.

Defender Portal -> Cloud app catalog


INTUNE FIREWALL– LEARN DOC

Commercial Link-https://intune.microsoft.com/#view/Microsoft_Intune_Workflows/SecurityManagementMenu/~/firewall

GCC Link-https://intune.microsoft.us/#view/Microsoft_Intune_Workflows/SecurityManagementMenu/~/firewall

In Intune, use the Endpoint Security Firewall policy to configure the built-in firewall on devices running macOS and Windows.

Although firewall settings can also be configured using Endpoint Protection profiles under device configuration, these profiles include additional settings beyond firewalls. These extra settings may introduce complexity when configuring only firewall-related policies for your environment.

Follow these steps to implement a firewall policy and block the domain at a host level

Name the settings

Configure settings in question

use the format *.{domain}.tld to make sure you capture http and https connections

Configure settings group

Save the settings you just created

Determine the profile scope

Name your policy

Add the settings you created in the earlier steps

Scope your policy

Determine any policy assignments you would like to see

Save your policy

INTUNE BLOCK APP (IOS)LEARN DOC

https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/DevicesIosMenu/~/configuration

https://intune.microsoft.us/#view/Microsoft_Intune_DeviceSettings/DevicesIosMenu/~/configuration

To block an app with IOS, you need the app “bundleId” to create a compliance policy you can flag on

Copy the id number from the URL

Paste that id number in this url to obtain additional details via a downloaded .txt file

https://itunes.apple.com/lookup?id={id}&country=us

Capture the bundleId and the trackName from the document

“trackName”:”DeepSeek – AI Assistant”

“bundleId”:”com.deepseek.chat”

Capture the bundleId

Capture the trackName

Implement a policy to block the app

Name your policy

declare the bundleId in box 14

Select any additional noncompliance actions

Select any additional assignments you would like to see applied

Create the Compliance policy

Leave a Reply

Your email address will not be published. Required fields are marked *