Restrict mobile access to email for specific users

%3CLINGO-SUB%20id%3D%22lingo-sub-1743710%22%20slang%3D%22en-US%22%3ERestrict%20mobile%20access%20to%20email%20for%20specific%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1743710%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20like%20to%20block%20mobile%20access%20to%20emails%20for%20specific%20users%20in%20my%20organization.%20This%20includes%20the%20native%20mail%20app%20on%20the%20phone%2C%20any%20other%20mail%20app%20on%20the%20phone%20(including%20Outlook)%2C%20as%20well%20as%20any%20browser%20on%20the%20phone.%26nbsp%3B%20This%20is%20because%20these%20users%20have%20access%20to%20sensitive%20information%20about%20the%20company.%20All%20other%20users%20should%20be%20able%20to%20access%20mobile%20emails.%3C%2FP%3E%3CP%3EI%20tried%20using%20the%20quarantine%20policy%2C%20from%20the%20exchange%20admin%2C%20however%2C%20that%20does%20not%20prevent%20the%20users%20from%20using%20the%20web%20browser%20to%20access%20the%20emails%20via%20outlook.com%20on%20their%20mobile.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1743710%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1743873%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20mobile%20access%20to%20email%20for%20specific%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1743873%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F819623%22%20target%3D%22_blank%22%3E%40keshavadmin%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20Exchange%20Admin%20Centre%2C%20find%20the%20recipients%20and%20edit%20the%20mailbox%20-%20in%20Mailbox%20Features%20you%20should%20see%20an%20option%20to%20disable%20OWA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22owa.png%22%20style%3D%22width%3A%20323px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F224090i69CEC87E2B55A62E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22owa.png%22%20alt%3D%22owa.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20wording%2Flocation%20may%20be%20different%20depending%20on%20your%20version%20of%20Exchange%2C%20disabling%20will%20stop%20those%20specific%20users%20from%20being%20able%20to%20log%20onto%20OWA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1744092%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20mobile%20access%20to%20email%20for%20specific%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1744092%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20setup%20may%20change%20depending%20if%20the%20devices%20are%20managed%20or%20not.%20If%20they%20are%20managed%20in%20Intune%2C%20you%20may%20be%20able%20to%20configure%20device%20restrictions%20to%20block%20the%20in-built%20apps%20to%20achieve%20what%20you're%20after.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fconfiguration%2Fdevice-profile-create%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fconfiguration%2Fdevice-profile-create%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you're%20running%20Microsoft365%20and%20have%20access%20to%20Cloud%20App%20Security%2C%20creating%20a%20conditional%20access%20policy%20that%20targets%20those%20users%20and%2For%20devices%20may%20achieve%20what%20you're%20after.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fhowto-conditional-access-policy-block-access%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fhowto-conditional-access-policy-block-access%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20also%20setup%20session%20policies%20which%20give%20you%20real-time%20session-level%20monitoring%2C%20with%20the%20ability%20to%20take%20different%20actions%20depending%20on%20the%20policy%20you%20set%20for%20the%20user%20session.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fsession-policy-aad%23block-activities%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fsession-policy-aad%23block-activities%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F819623%22%20target%3D%22_blank%22%3E%40keshavadmin%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

I would like to block mobile access to emails for specific users in my organization. This includes the native mail app on the phone, any other mail app on the phone (including Outlook), as well as any browser on the phone.  This is because these users have access to sensitive information about the company. All other users should be able to access mobile emails.

I tried using the quarantine policy, from the exchange admin, however, that does not prevent the users from using the web browser to access the emails via outlook.com on their mobile.

5 Replies
Highlighted

Hi @keshavadmin 

 

In the Exchange Admin Centre, find the recipients and edit the mailbox - in Mailbox Features you should see an option to disable OWA.

 

owa.png

 

The wording/location may be different depending on your version of Exchange, disabling will stop those specific users from being able to log onto OWA.

Highlighted

The setup may change depending if the devices are managed or not. If they are managed in Intune, you may be able to configure device restrictions to block the in-built apps to achieve what you're after. 

https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-create

 

If you're running Microsoft365 and have access to Cloud App Security, creating a conditional access policy that targets those users and/or devices may achieve what you're after. 

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-...

 

You can also setup session policies which give you real-time session-level monitoring, with the ability to take different actions depending on the policy you set for the user session.

https://docs.microsoft.com/en-us/cloud-app-security/session-policy-aad#block-activities

 

@keshavadmin 

Highlighted

@keshavadmin 

 

To expand on what @hidmov suggests, you'll also want to "Disable Exchange ActiveSync" and "Disable OWA for Devices" under the Mobile Devices Section (via EAC). If you're using the New EAC, the language is a bit different, but the process is the same. 

Highlighted
@lance-aughey

So, if I’m not wrong, this allows me to:
1. Block Outlook Web App access on mobile
2. Block Outlook App access on mobile
3. Block Native Mail App access via Exchange Active Sync (Can they still use IMAP or POP for this?)
4. Allows them access to Outlook Web App on a PC.
5. Allows them access to Outlook Desktop app.
Please suggest if this is the case. It seems to be my ideal situation.
Highlighted
Access to IMAP/POP are managed through EAC the same as the other protocols -- enable/disable as you wish. The only thing to note is #4 (and #5)...as I understand it, if you disable Outlook Web App, it prohibits the user from opening Outlook via a browser, regardless of whether or not it's Mobile or Desktop.