Forum Discussion
New Outlook opens security hole
Hello,
We just tested the New Outlook and discovered that it allows users to add personal Gmail accounts to their Outlook profile. We have intentionally blocked 3rd party email services to prevent data loss. We don't ever want an end user to be able to send out confidential corporate information with their personal email account. Is there no way to disable this 'feature' for our tenant? You are now effectively bypassing all the data loss prevention security we have put in place around email, including explicit blocks for Gmail and Yahoo on our firewall.
- RobYoungIron Contributor
Just an update, I performed the following test again and it did work:
Create a test owa policy using powershell:
New-OwaMailboxPolicy TestOWAPolicy
Then I disabled personal accounts:
Set-OwaMailboxPolicy -PersonalAccountsEnabled -$false -identity TestOWAPolicy
Then I applied the policy to a test user:
Set-CASMailbox <email address removed for privacy reasons> -OwaMailboxPolicy TestOWAPolicyI then tried to add my personal mailbox to my outlook. It goes through the motions and just as it is about to sync, I get this:
- pawelmuCopper Contributor
It seems this OWA policy only prevents adding new personal accounts to the New Outlook, but existing accounts will still work (tested).
What is even funnier, I can logout the account with the OWA policy enabled from New Outlook, add my Gmail account (policy not applied at this point) and then just add the initial account back. And all the accounts will just work, including Gmail.
Is there any policy to prevent users from removing their default accounts, so the OWA policy will be applied the whole time?
- drogu-kangarooCopper Contributor
66 views but no replies. Am I in the correct forum for asking this question?
Any suggestions from anyone on where I can post this question and get Microsoft's attention? This is a pretty serious security concern. Just because you can allow users to add personal email accounts to Outlook doesn't mean all business are OK with that. We need to be able to choose. - Victor_IvanidzeBronze ContributorHello,
but the old Outlook also allows users to add personal Gmail accounts to their Outlook profile, isn't it?- RobYoungIron ContributorThe old outlook allows you to block via policy. The new outlook creates a connection to your gmail and syncs everything to Microsoft Cloud and the old policies do not apply. I am also trying to find a way to disable this feature.
- RobYoungIron ContributorJust an FYI, I am just in the process of testing the OWA polices which seem to apply to both Outlook on the Web and "New Outlook".
I have setup a test OWA policy:
New-OwaMailboxPolicy TestOWAPolicy
Then I disabled personal accounts:
Set-OwaMailboxPolicy -PersonalAccountsEnabled -$false -identity TestOWAPolicy
Then I applied the policy to a test user:
Set-CASMailbox email address removed for privacy reasons -OwaMailboxPolicy TestOWAPolicy
Just waiting for the policy to kick-in.
Here is the link for reference:
https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-on-the-web/apply-or-remove-outlook-web-app-mailbox-policy
- HeyHey16KSteel ContributorWe just started trialling new Outlook and noticed this too. Our Office policy explicitly blocks any non-Exchange accounts, which classic Outlook respects, but new Outlook ignores. Be good to hear from Microsoft on this, hopefully it's just an oversight.
- HeyHey16KSteel ContributorWe just had this reply from Microsoft support:
I checked with our escalations team, and the feature you are asking for, which is to prevent end users from adding their personal or third-party accounts is being developed. We do not have an exact ETA on when it will be rolled out, but it's a high priority item requested by other enterprise organizations, so hopefully soon.
In the meantime, the workaround to mitigate the security risks is to disable the new Outlook, either by hiding the toggle switch, restricting mailbox connections, or both.
Hope the provided information has addressed your concern,
Regards!- drogu-kangarooCopper Contributor
While we wait for Microsoft to provide a way to block 3rd party email from being added by end users, we were able to completely disable New Outlook following the steps in this article:
https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-on-the-web/enable-disable-employee-access-new-outlookWe also deployed a registry change to end users with PowerShell to remove the button from Outlook. Run in user context because the key is HKCU
Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\office\16.0\Outlook\Options\General' -Name "HideNewOutlookToggle" -Value 1
- TandyWineIron ContributorHere's a request I made on Microsoft's feedback portal to request that they add the capability to the new Outlook to prevent users from adding mailboxes outside the current company tenant. Please click and comment and upvote! https://feedbackportal.microsoft.com/feedback/idea/13a11c07-700f-ee11-a81c-000d3ae5b6f4
- Simon725Copper ContributorOf equal concern is the datagrab of gmail info MS exerts by funneling all local account data through MS cloud. What on earth happened to the concept of a client?
I'll be switching my primary mail client to Thunderbird or similar, with no intention of putting every gmail account I have into the same bucket as my outlook data in the MS cloud. - Kostas1978Copper ContributorGuys is there a way to remove already added accounts on user's outlook profile? Ok we are blocking them from adding new, but how can i manage the already added ones?
- csrswalchBrass Contributor+1 for this request - to be honest we're not even sure how many or who but it would be great to be able to lock it down after the fact.
- Yogi777Copper ContributorAbsolutely horrible but the policy setting -PersonalAccountsEnabled $false works.
Microsoft please...