Attaching files from an unmanaged device via OWA with conditional Access

%3CLINGO-SUB%20id%3D%22lingo-sub-1287919%22%20slang%3D%22en-US%22%3EAttaching%20files%20from%20an%20unmanaged%20device%20via%20OWA%20with%20conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1287919%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20running%20conditional%20access%20with%20app%20enforced%20restrictions%20set%20in%20both%20Exchange%20online%20and%20SharePoint.%20and%20provide%20access%20via%20OWA%3C%2FP%3E%3CP%3EOur%20settings%20are%20set%20to%26nbsp%3B%3C%2FP%3E%3CP%3EExchange%20online%20CA%20Policy%20-%20read%20only%3C%2FP%3E%3CP%3ESharepoint%20from%20unmanaged%20devices%20%2C%20web%20access-%26nbsp%3B%20only%3C%2FP%3E%3CP%3EThese%20work%20well%20and%20prevent%20saving%20of%20attachments%20to%20personal%20devices%20and%20the%20save%20location%20is%20limited%20to%20One%20Drive.%3C%2FP%3E%3CP%3EThe%20issue%20we%20have%20is%20that%20when%20a%20user%20attempts%20to%20attach%20a%20file%20from%20an%20unmanaged%20device%2C%20they%20are%20getting%20an%20error%20%22The%20following%20couldn't%20be%20attached%20xxxxx.doc.%20Please%20try%20again%20later.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20if%20this%20is%20a%20limitation%20of%20applying%20conditional%20access%20or%20do%20we%20have%20a%20potential%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1287919%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOWA%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1349244%22%20slang%3D%22en-US%22%3ERe%3A%20Attaching%20files%20from%20an%20unmanaged%20device%20via%20OWA%20with%20conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1349244%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F419436%22%20target%3D%22_blank%22%3E%40Kanoni40%3C%2FA%3E%26nbsp%3BWhat%20type%20of%20device%20are%20you%20testing%20on%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'd%20like%20to%20understand%20the%20full%20case%20here.%20Is%20the%20behaviour%20the%20same%20for%20Windows%2C%20macOS%2C%20iOS%20and%20Android%3F%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1357220%22%20slang%3D%22en-US%22%3ERe%3A%20Attaching%20files%20from%20an%20unmanaged%20device%20via%20OWA%20with%20conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1357220%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F470541%22%20target%3D%22_blank%22%3E%40JanBakker330%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Thanks%20for%20getting%20back%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMobile%20devices%20are%20fine%20as%20we%20use%20MAM%20app%20protection%20policies%20to%20secure%20these%20devices%20and%20this%20allows%20for%20the%20attachment%20of%20files.%3C%2FP%3E%3CP%3EOn%20Windows%20and%20Macos%20devices%2C%20we%20restrict%20access%20to%20browser%20only%20via%20conditional%20access%20and%20use%20%22Use%20App%20enforced%20restrictions%22%20In%20the%20session%20control%20for%20both%20Exchange%20and%20SharePoint.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESharePoint%20is%20set%20to%20limited%2C%20web%20access%20only%2C%20so%20no%20files%20can%20be%20download%20synched%20or%20printed%20from%20an%20unmanaged%20device.%3C%2FP%3E%3CP%3EExchange%20is%20set%20to%20read%20only%20with%20attachments.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20attempting%20to%20attach%20a%20file%20from%20OWA%20you%20can%20browse%20to%20any%20location%20and%20select%20a%20file.%20From%20a%20local%20drive%20this%20is%20fine%2C%20but%20from%20a%20web%20resource%20such%20as%20One%20Drive%20or%20SharePoint%2C%20the%20file%20looks%20to%20attach%20in%20the%20normal%20way%2C%20then%20an%20error%20appears%20stating%20your%20organisation%20does%20not%20allow%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20really%20want%20to%20know%20if%20this%20is%20expected%20behaviour%20or%20a%20potential%20issue%20with%20our%20configuration.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInterestingly%20with%20these%20policies%20in%20place%20the%20%22Move%20To%22%20option%20from%20SharePoint%20and%20One%20Drive%20is%20also%20removed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi 

 

We are running conditional access with app enforced restrictions set in both Exchange online and SharePoint. and provide access via OWA

Our settings are set to 

Exchange online CA Policy - read only

Sharepoint from unmanaged devices , web access-  only

These work well and prevent saving of attachments to personal devices and the save location is limited to One Drive.

The issue we have is that when a user attempts to attach a file from an unmanaged device, they are getting an error "The following couldn't be attached xxxxx.doc. Please try again later.

 

Does anyone know if this is a limitation of applying conditional access or do we have a potential issue.

 

Thanks

2 Replies
Highlighted

@Kanoni40 What type of device are you testing on?

 

I'd like to understand the full case here. Is the behaviour the same for Windows, macOS, iOS and Android? Thanks!

Highlighted

@JanBakker330 

 

Hi Thanks for getting back

 

Mobile devices are fine as we use MAM app protection policies to secure these devices and this allows for the attachment of files.

On Windows and Macos devices, we restrict access to browser only via conditional access and use "Use App enforced restrictions" In the session control for both Exchange and SharePoint.

 

SharePoint is set to limited, web access only, so no files can be download synched or printed from an unmanaged device.

Exchange is set to read only with attachments.

 

When attempting to attach a file from OWA you can browse to any location and select a file. From a local drive this is fine, but from a web resource such as One Drive or SharePoint, the file looks to attach in the normal way, then an error appears stating your organisation does not allow this.

 

I really want to know if this is expected behaviour or a potential issue with our configuration.

 

Interestingly with these policies in place the "Move To" option from SharePoint and One Drive is also removed.