Oct 04 2020 01:10 PM
I would like to block mobile access to emails for specific users in my organization. This includes the native mail app on the phone, any other mail app on the phone (including Outlook), as well as any browser on the phone. This is because these users have access to sensitive information about the company. All other users should be able to access mobile emails.
I tried using the quarantine policy, from the exchange admin, however, that does not prevent the users from using the web browser to access the emails via outlook.com on their mobile.
Oct 04 2020 02:38 PM
Hi @keshavadmin
In the Exchange Admin Centre, find the recipients and edit the mailbox - in Mailbox Features you should see an option to disable OWA.
The wording/location may be different depending on your version of Exchange, disabling will stop those specific users from being able to log onto OWA.
Oct 04 2020 08:57 PM
The setup may change depending if the devices are managed or not. If they are managed in Intune, you may be able to configure device restrictions to block the in-built apps to achieve what you're after.
https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-create
If you're running Microsoft365 and have access to Cloud App Security, creating a conditional access policy that targets those users and/or devices may achieve what you're after.
You can also setup session policies which give you real-time session-level monitoring, with the ability to take different actions depending on the policy you set for the user session.
https://docs.microsoft.com/en-us/cloud-app-security/session-policy-aad#block-activities
Oct 05 2020 09:40 AM
To expand on what @hidmov suggests, you'll also want to "Disable Exchange ActiveSync" and "Disable OWA for Devices" under the Mobile Devices Section (via EAC). If you're using the New EAC, the language is a bit different, but the process is the same.
Oct 05 2020 11:09 AM
Oct 05 2020 12:08 PM
Dec 01 2020 12:55 PM
@keshavadmin An alternative approach would be to use Sensitivity Labels and DLP policies to block the access to sensitive information while providing access to other information. This would be a much better user experience and would provide many other benefits.