Home
Microsoft

Conditional Access in Outlook on the web for Exchange Online

 

We live in a world where employees want to use a wide range of devices; this includes corporate owned assets, as well as their personal devices, and public or shared devices.  While we want everyone to be empowered to work productively, we need to ensure we protect corporate data.

 

The freedom to work fluidly, independent of location, has become an expectation as has the freedom to access email and documents from anywhere on any device—and that experience is expected to be seamless.  However, data loss is non-negotiable, and overexposure to information can have lasting legal and compliance implications. 

 

Exchange Online and Outlook on the web have been investing to ensure we are able to respond to evolving security challenges.  We start this journey by introducing Conditional access policies for Outlook on the web.  Conditional access provides the control and protection businesses need to keep their corporate data secure, while giving their people an experience that allows them to do their best work from any device. 

 

Last week at the Microsoft Ignite conference we announced and demoed how to configure conditional access new policies.  These policies will restrict the ability for users to download attachments from email to a local machine when the devices are not compliant.  With the power of the Office Web Apps, users can continue to view and edit these files safely, without leaking data to a personal machine.  If you instead want to block attachments fully (when on a non-compliant device) we also support that!

 

Steps to Configuring Conditional Access / Limited Access for Outlook on the Web

To configure Outlook on the web Conditional Access follow these steps:

  • Connect to Exchange Online Remote PowerShell Session
  • Create a New OwaMailboxPolicy or Edit your existing one

 

Set-OwaMailboxPolicy -Identity Default -ConditionalAccessPolicy ReadOnly

 

  • Configure an Azure Active Directory Conditional Access Policy in the Azure Portal

    AzurePortal1.PNG

    Figure 1: In the new policy enable Exchange Online in the App Selection


    azureportal2.PNG

    Figure 2: Enable App Enforced Restrictions for Session Controls

To learn more about conditional access in Azure Active Directory see this.

 

Once you have properly configured the Polices in both Exchange Online and in Azure Portal your users that are in non-compliant devices will start getting the Limited Access Experience.

 

Fig 3.png

Figure 3: Notice that the download, as well as enabling Offline access options have been removed

 

Fig 4.png

Figure 4: The Office Web Editors will also have a banner informing the user that they have reduced capabilities due to their device compliance state.

 

We look forward to hearing how this works for your organizations!  We will continue to invest in ensuring that we provide the right level of access to your users so they can stay productive, all while protecting your corporate data.

 

David Los

22 Comments
Contributor

This looks great thanks! Will the ability to modify the OWA policy extend to the GUI in Exchange Admin Centre?

Hello David,

 

Can you please clarify what license is required to deploy this feature? Do I need a AAD P1 / P2 or is part of Office E1 subscription?

 

Thank you,

Catalin ROMAN 

 

Contributor

You'll definitely need AAD P1 and above for conditional access. We have an E3 licence with and EMS subscription.

In case you want to see a demo. @David Los did a great session at Ignite last week.

Contributor

Capture.JPG

I have done this command worked also in powershell but it didn't apply to my users which i assigned via conditional access policy. Please help me out in this!!

Contributor

Even it doesn't reflect on to OWA of the user which I applied via conditional access. Sharing you the screenshot for the same.

 

offline.jpg

Anonymous
Not applicable

First of all, this is a great improvement - thanks! :)

 

Now a question: will this ability to stop users accessing/downloading files and data extend to all other areas of Office 365? e.g. One Drive.

 

I want to be able to restrict users from logging on to their own home machines, or potentially some other unauthorised machines, and then accessing and downloading data to them - the reason being to protect our data by only allowing it on our company machines which we have full control over.

Regular Visitor

Very cool stuff.  Does this require AD FS similar to how attachment handling required it for public/private network via OwaMailboxPolicy?  In other words, for clients that are doing PTA and not doing AD FS, can they leverage this?!?!

 

UPDATE: AD FS is not required.  This is quite cool.  What is not entirely clearly explained, although this is simple enough to figure out, is that you must turn this paramteer on for policies that are already mapped to user in exchange.  For the person above who is not seeing the change, make sure you have update the OWA policy being applied to the user, and then make sure you are logging in with a fresh session and you should see restrictions in place.  So if a user is not being given the default OWA policy, then you must change that policy to be conditional access enabled such that you can drop them into read only via conditions from the conditional access rule.  This is very cool, and yes we have wanted this for a long time - bravo Microsoft.  I was testing with an accoun that had legacy OWA test policies and I had not updated the parameter (-ConditionalAccessPolicy) on the correct policy :)

Microsoft
David Gorman - Thank you for interest in this feature!  At this time, we don't have a plan to introduce this to the admin portal.  We will likely keep management of the OWAMailboxPolicy via Powershell.
Microsoft
Mitul Sinha - Thanks for trying out Conditional Access for Outlook on the Web.  A couple of follow-up questions
 
 
 
.  Did you create a new OWA Mailbox Policy and assign it to your test user?  (Set-CASMailbox)?  Did you configure the policy also in the azure portal?  After you create the policies in both places it will take a couple of hours for it to become active.
Contributor

@Anonymous

You can prevent non-compliant devices from downloading files from OneDrive. You need to look at the Sharepoint Admin page and "Access Control".  Select "Limited Web Only Access or Block" depending on what you want. You then need to create a Conditional Access policy for Sharepoint and under "Access Control" select "Use App Enforced Restrictions".

 

If you have the advanced version of "Microsoft Cloud App Security"  you can do the same thing.

 

 

New Contributor

Tested and all worked fine. The biggest issue is how to get a device marked as compliant. We don't have Intune but we do have AAD P1/P2. Is there a way to force a device as compliant based on criteria I can control without Intune ??

We use Blackberry UEM 12.9 ($%#%$@%%)

Anonymous
Not applicable

Hi David, 

 

In the Access Control/Grant section, do we have to do something there like selecting Require device to be marked as compliant or Require Hybrid Azure AD joined device? or just leave it blank?

Occasional Visitor

Hi,

 

This is working very nicely thanks - however, copy paste still works (eg: from an Excel/Powerpoint/email) - any option or idea to disable/restrict that too?

 

Many thanks,

Tamas

 

Occasional Visitor

Hi,

 

First feedback from customers is that the option is great, but the message is not always very clear for the end-user.

Can this message be changed or can this option be added?

The user that they have reduced capabilities due to their device compliance state.

 

Many Thanks,

Jurgen

Frequent Visitor

Hello, 

Is there a way to set Conditional Access to Exchange Online based on time of day?

Microsoft

Les - We do not support time based configuration for Conditional Access.  Do you mind sharing a bit of detail on why this would be something you would like to see?  How would you use it?

 

Thanks!

David Los


Frequent Visitor

 David, 

Thanks for the reply.

This is a client request.  The client is a large Law firm with a call center.  The request is to restrict the call center users from accessing Exchange Online during non business hours due to potential sensitive information. 

Occasional Visitor

Very nice extension to OWA policy and I can leverage AAD conditions to control when this is applied.

 

There is an enterprise ask to limit additional features in one of these type sessions. One business unit wants their users to see calendar only for instance. Due to data loss concerns, our security team would also like to disable printing - although we try to explain that you can copy HTML content from a browser window no matter what we do.

 

Are there any plans to extend the other controls in an OWA policy to be part of the 'Limited Experience'? I see a section but cannot edit it called "ConditionalAccessFeatures".

 

It would almost be great if I could apply a particular OWA policy instead of just Public/Private computer distinction. Such as, "user normal policy" for everyday access and "user limited experience policy" for certain conditions.

New Contributor

Will the read only feature apply to users using the Outlook desktop app?

For example, I want to make sure users don't install Outlook on grandma's PC and be able to download attachments.

 

 

Microsoft
@Patrick F wrote - 

Will the read only feature apply to users using the Outlook desktop app?

For example, I want to make sure users don't install Outlook on grandma's PC and be able to download attachments.

You can actually do similar Conditional Access Policies for the office apps.  In the example I walked through, we restricted to just the Web apps (Outlook on the Web).  However, you can create a policy that restricts the Windows apps. 

 

What you are describing, you might actually want to explore the On/Off Network Policy section of Conditional Access.

Microsoft

@JMSIII wrote: Very nice extension to OWA policy and I can leverage AAD conditions to control when this is applied.

Really happy to hear you are liking this feature!  I think it really helps protect data, while still enabling our users to access data in a rich experience!

 

There is an enterprise ask to limit additional features in one of these type sessions. One business unit wants their users to see calendar only for instance. Due to data loss concerns, our security team would also like to disable printing - although we try to explain that you can copy HTML content from a browser window no matter what we do.

 Right now we don't have anything on our roadmap to limit large portions of the app, such as restrict to only Calendar when not on a compliant device.  However, can you provide a bit more details on why they would want this?  Calendar items can have just as sensitive data in them as their email.  Plus as you know creating calendar invites relies on mail as well.

 

For printing, even if the Outlook on the Web app removes and hides all of the printing functionality, this would not be able to disable the print functionality that is right in the browser.  The web app isn't able to disable that functionality.  Does just hiding the print buttons in our app help?

 

 

Are there any plans to extend the other controls in an OWA policy to be part of the 'Limited Experience'? I see a section but cannot edit it called "ConditionalAccessFeatures".

 Right now, we don't have anything to share.  However, we are keeping a very close eye on how everyone wants to see this scenario grow.  So offer up all of your feedback, we are for sure listening!