Forum Discussion

drogu-kangaroo's avatar
drogu-kangaroo
Copper Contributor
May 22, 2023

New Outlook opens security hole

Hello,

We just tested the New Outlook and discovered that it allows users to add personal Gmail accounts to their Outlook profile. We have intentionally blocked 3rd party email services to prevent data loss. We don't ever want an end user to be able to send out confidential corporate information with their personal email account. Is there no way to disable this 'feature' for our tenant? You are now effectively bypassing all the data loss prevention security we have put in place around email, including explicit blocks for Gmail and Yahoo on our firewall. 

  • RobYoung's avatar
    RobYoung
    Iron Contributor

    drogu-kangaroo 

    Just an update, I performed the following test again and it did work:
    Create a test owa policy using powershell:
    New-OwaMailboxPolicy TestOWAPolicy
    Then I disabled personal accounts:
    Set-OwaMailboxPolicy -PersonalAccountsEnabled -$false -identity TestOWAPolicy
    Then I applied the policy to a test user:
    Set-CASMailbox <email address removed for privacy reasons> -OwaMailboxPolicy TestOWAPolicy

    I then tried to add my personal mailbox to my outlook. It goes through the motions and just as it is about to sync, I get this:

     

    • TandyWine's avatar
      TandyWine
      Iron Contributor
      Robert, this is good news. I just wanted to confirm - is this true for the new Outlook desktop client?
      • RobYoung's avatar
        RobYoung
        Iron Contributor
        This is for the new Outlook client. I am about to test it with a handful of users.
  • pawelmu's avatar
    pawelmu
    Copper Contributor

    It seems this OWA policy only prevents adding new personal accounts to the New Outlook, but existing accounts will still work (tested).

    What is even funnier, I can logout the account with the OWA policy enabled from New Outlook, add my Gmail account (policy not applied at this point) and then just add the initial account back. And all the accounts will just work, including Gmail.

     

    Is there any policy to prevent users from removing their default accounts, so the OWA policy will be applied the whole time?

  • drogu-kangaroo's avatar
    drogu-kangaroo
    Copper Contributor

    66 views but no replies. Am I in the correct forum for asking this question? 
    Any suggestions from anyone on where I can post this question and get Microsoft's attention? This is a pretty serious security concern. Just because you can allow users to add personal email accounts to Outlook doesn't mean all business are OK with that. We need to be able to choose. 

  • Victor_Ivanidze's avatar
    Victor_Ivanidze
    Bronze Contributor
    Hello,
    but the old Outlook also allows users to add personal Gmail accounts to their Outlook profile, isn't it?
    • RobYoung's avatar
      RobYoung
      Iron Contributor
      The old outlook allows you to block via policy. The new outlook creates a connection to your gmail and syncs everything to Microsoft Cloud and the old policies do not apply. I am also trying to find a way to disable this feature.
  • HeyHey16K's avatar
    HeyHey16K
    Steel Contributor
    We just started trialling new Outlook and noticed this too. Our Office policy explicitly blocks any non-Exchange accounts, which classic Outlook respects, but new Outlook ignores. Be good to hear from Microsoft on this, hopefully it's just an oversight.
    • HeyHey16K's avatar
      HeyHey16K
      Steel Contributor
      We just had this reply from Microsoft support:

      I checked with our escalations team, and the feature you are asking for, which is to prevent end users from adding their personal or third-party accounts is being developed. We do not have an exact ETA on when it will be rolled out, but it's a high priority item requested by other enterprise organizations, so hopefully soon.

      In the meantime, the workaround to mitigate the security risks is to disable the new Outlook, either by hiding the toggle switch, restricting mailbox connections, or both.

      Hope the provided information has addressed your concern,
      Regards!
  • Simon725's avatar
    Simon725
    Copper Contributor
    Of equal concern is the datagrab of gmail info MS exerts by funneling all local account data through MS cloud. What on earth happened to the concept of a client?

    I'll be switching my primary mail client to Thunderbird or similar, with no intention of putting every gmail account I have into the same bucket as my outlook data in the MS cloud.
  • Kostas1978's avatar
    Kostas1978
    Copper Contributor
    Guys is there a way to remove already added accounts on user's outlook profile? Ok we are blocking them from adding new, but how can i manage the already added ones?
    • csrswalch's avatar
      csrswalch
      Brass Contributor
      +1 for this request - to be honest we're not even sure how many or who but it would be great to be able to lock it down after the fact.
  • Yogi777's avatar
    Yogi777
    Copper Contributor
    Absolutely horrible but the policy setting -PersonalAccountsEnabled $false works.

    Microsoft please...

Resources