Some companies will block access to Outlook on the web entirely because they don’t want users to be able to download their company data externally. This new feature strikes a middle ground, so users can still access Outlook on the web, but admins can use conditional access to restrict downloads from Outlook on the web on personal or unmanaged devices.
What is Conditional Access?
Conditional access lets you define different security measures which take effect depending on how users are trying to access your company data. For example a risky sign in according to Azure Active Directory might prompt for MFA, while a sign in from inside your company network on a trusted device won’t. An unmanaged or non-compliant device might not be able to access certain apps, while compliant devices can.
How to set up Conditional Access for Outlook on the web
Add the policy via Azure Active Directory Conditional Access
In this example, we are setting up a conditional access policy for non-compliant devices which prevents users from being able to download attachments via the browser.
- Log in to portal.azure.com and open Azure Active Directory
- Click Conditional Access and create a new policy
- Under Users and groups, choose people or groups to apply the policy to.
- Click Cloud apps, choose Select apps, then search for and select Office 365 Exchange Online
- Under Session, select Use app enforced restrictions
Configure the OWAMailboxPolicy via Powershell
- Connect to Exchange Online via Powershell
- Run the following cmdlet to get the name(s) of your current OWA Mailbox Policies.
Get-OwaMailboxPolicy | ft Name
- Run the following cmdlet to set the Conditional Access policy option on your OWA Mailbox policy to ReadOnly.
Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -ConditionalAccessPolicy ReadOnly
Valid values for the -ConditionalAccessPolicy parameter are:
- Off: No conditional access policy is applied to Outlook on the web. This is the default value.
- ReadOnly: Users can’t download attachments to their local computer, and can’t enable Offline Mode on non-compliant computers. They can still view attachments in the browser.
- ReadOnlyPlusAttachmentsBlocked: All restrictions from ReadOnly apply, but users can’t view attachments in the browser.
Wait a few hours for the policy to apply. Once it takes effect, the previously selected users on non-compliant devices will not be able to download attachments via Outlook on the web.
What is the user experience?
The ReadOnly policy will ensure that users on non-compliant devices can’t download email attachments through Outlook on the web to their local device. They can only access them via the file viewers in the browser.
If you use the ReadOnlyPlusAttachmentsBlocked value, users will not be able to access attachments via the browser at all.
What license do I need for Conditional Access for Outlook on the web?
Conditional Access requires a subscription with Azure AD P1 or P2.