I've started using Claude AI with a group of test users, and I've discovered a significant security issue with the MCP connector. It seems that users can access company M365 data from their personal devices without restrictions. We have conditional access policies in place to allow access only from compliant devices, but right now, users can log into their personal Claude accounts on work laptops, set up the M365 connector, and then access it from personal devices. I believe the only solution is to block personal Claude accounts on company devices. I'm looking for other suggestions to prevent this issue. Any ideas?
3 Answers
It sounds like your conditional access only covers the initial sign-in on managed devices. Once the users get the M365 connector token with their personal Claude accounts, they can access it from anywhere. The simplest fix is indeed to block personal Claude accounts on work devices to stop this from happening. Otherwise, you'd need a more complex solution to manage access effectively.
Honestly, allowing users to log into their personal accounts on company devices seems risky. You need to evaluate the potential for data leaks. If you're insistent on permitting it, at least ensure that usage is monitored and that sensitive uploads are blocked.
You might want to consider blocking access to the Claude API altogether. By routing all connections through a dedicated LLM gateway, you can create a controlled environment for acceptable use. This way, it becomes easier to manage connections and prevent unauthorized access.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures