Conditional Access in Outlook on the web for Exchange Online


We live in a world where employees want to use a wide range of devices; this includes corporate owned assets, as well as their personal devices, and public or shared devices.  While we want everyone to be empowered to work productively, we need to ensure we protect corporate data.


The freedom to work fluidly, independent of location, has become an expectation as has the freedom to access email and documents from anywhere on any device—and that experience is expected to be seamless.  However, data loss is non-negotiable, and overexposure to information can have lasting legal and compliance implications. 


Exchange Online and Outlook on the web have been investing to ensure we are able to respond to evolving security challenges.  We start this journey by introducing Conditional access policies for Outlook on the web.  Conditional access provides the control and protection businesses need to keep their corporate data secure, while giving their people an experience that allows them to do their best work from any device. 


Last week at the Microsoft Ignite conference we announced and demoed how to configure conditional access new policies.  These policies will restrict the ability for users to download attachments from email to a local machine when the devices are not compliant.  With the power of the Office Web Apps, users can continue to view and edit these files safely, without leaking data to a personal machine.  If you instead want to block attachments fully (when on a non-compliant device) we also support that!


Steps to Configuring Conditional Access / Limited Access for Outlook on the Web

To configure Outlook on the web Conditional Access follow these steps:

  • Connect to Exchange Online Remote PowerShell Session
  • Create a New OwaMailboxPolicy or Edit your existing one


Set-OwaMailboxPolicy -Identity Default -ConditionalAccessPolicy ReadOnly


  • Configure an Azure Active Directory Conditional Access Policy in the Azure Portal


    Figure 1: In the new policy enable Exchange Online in the App Selection


    Figure 2: Enable App Enforced Restrictions for Session Controls

To learn more about conditional access in Azure Active Directory see this.


Once you have properly configured the Polices in both Exchange Online and in Azure Portal your users that are in non-compliant devices will start getting the Limited Access Experience.


Fig 3.png

Figure 3: Notice that the download, as well as enabling Offline access options have been removed


Fig 4.png

Figure 4: The Office Web Editors will also have a banner informing the user that they have reduced capabilities due to their device compliance state.


We look forward to hearing how this works for your organizations!  We will continue to invest in ensuring that we provide the right level of access to your users so they can stay productive, all while protecting your corporate data.


David Los

Occasional Contributor

This looks great thanks! Will the ability to modify the OWA policy extend to the GUI in Exchange Admin Centre?

Hello David,


Can you please clarify what license is required to deploy this feature? Do I need a AAD P1 / P2 or is part of Office E1 subscription?


Thank you,

Catalin ROMAN 


Occasional Contributor

You'll definitely need AAD P1 and above for conditional access. We have an E3 licence with and EMS subscription.

In case you want to see a demo. @David Los did a great session at Ignite last week.



I have done this command worked also in powershell but it didn't apply to my users which i assigned via conditional access policy. Please help me out in this!!


Even it doesn't reflect on to OWA of the user which I applied via conditional access. Sharing you the screenshot for the same.



Occasional Visitor

First of all, this is a great improvement - thanks! :)


Now a question: will this ability to stop users accessing/downloading files and data extend to all other areas of Office 365? e.g. One Drive.


I want to be able to restrict users from logging on to their own home machines, or potentially some other unauthorised machines, and then accessing and downloading data to them - the reason being to protect our data by only allowing it on our company machines which we have full control over.

Regular Visitor

Very cool stuff.  Does this require AD FS similar to how attachment handling required it for public/private network via OwaMailboxPolicy?  In other words, for clients that are doing PTA and not doing AD FS, can they leverage this?!?!


UPDATE: AD FS is not required.  This is quite cool.  What is not entirely clearly explained, although this is simple enough to figure out, is that you must turn this paramteer on for policies that are already mapped to user in exchange.  For the person above who is not seeing the change, make sure you have update the OWA policy being applied to the user, and then make sure you are logging in with a fresh session and you should see restrictions in place.  So if a user is not being given the default OWA policy, then you must change that policy to be conditional access enabled such that you can drop them into read only via conditions from the conditional access rule.  This is very cool, and yes we have wanted this for a long time - bravo Microsoft.  I was testing with an accoun that had legacy OWA test policies and I had not updated the parameter (-ConditionalAccessPolicy) on the correct policy :)

David Gorman - Thank you for interest in this feature!  At this time, we don't have a plan to introduce this to the admin portal.  We will likely keep management of the OWAMailboxPolicy via Powershell.
Mitul Sinha - Thanks for trying out Conditional Access for Outlook on the Web.  A couple of follow-up questions
.  Did you create a new OWA Mailbox Policy and assign it to your test user?  (Set-CASMailbox)?  Did you configure the policy also in the azure portal?  After you create the policies in both places it will take a couple of hours for it to become active.
Occasional Contributor

@Stephen Pickett

You can prevent non-compliant devices from downloading files from OneDrive. You need to look at the Sharepoint Admin page and "Access Control".  Select "Limited Web Only Access or Block" depending on what you want. You then need to create a Conditional Access policy for Sharepoint and under "Access Control" select "Use App Enforced Restrictions".


If you have the advanced version of "Microsoft Cloud App Security"  you can do the same thing.



New Contributor

Tested and all worked fine. The biggest issue is how to get a device marked as compliant. We don't have Intune but we do have AAD P1/P2. Is there a way to force a device as compliant based on criteria I can control without Intune ??

We use Blackberry UEM 12.9 ($%#%$@%%)

Not applicable

Hi David, 


In the Access Control/Grant section, do we have to do something there like selecting Require device to be marked as compliant or Require Hybrid Azure AD joined device? or just leave it blank?

Occasional Visitor



This is working very nicely thanks - however, copy paste still works (eg: from an Excel/Powerpoint/email) - any option or idea to disable/restrict that too?


Many thanks,



Occasional Visitor



First feedback from customers is that the option is great, but the message is not always very clear for the end-user.

Can this message be changed or can this option be added?

The user that they have reduced capabilities due to their device compliance state.


Many Thanks,