Block any email clients on Windows except Outlook Web

Brass Contributor

Greetings,

I'm opening this discussion to speak about how to block access to Exchange Online from any email client (Outlook, Windows 10 Mail, new Outlook for Windows, third-party client) on Windows devices (either Intune-unmanaged, Intune-managed, Microsoft Entra joined, Microsoft Entra registered, Microsoft Entra hybrid joined). Outlook web is only allowed.

 

TEST 1

My initial attempt, as mentioned in this post how to block the Outlook desktop app while allow them use the Outlook On the Web (OWA), was to block access through a Conditional Access policy.

  1. Target resources: Office 365 Exchange Online
    lucafabbri365_0-1699314180684.png
  2. Conditions > Device platforms: Windows Phone, Windows, Linux
  3. Conditions > Client apps: Mobile apps and desktop clients, Exchange ActiveSync clients, Other clients
  4. Grant: Block access

Results: I realized it isn't applicable because even if it meets the goal, however it is also blocking applications like Microsoft Teams.

 

TEST 2

I modified the CA policy by allowing access from compliant devices or hybrid joined:

  1. Target resources: Office 365Office 365 Exchange Online and Office 365 SharePoint Online
    lucafabbri365_1-1699314676257.png
  2. Conditions > Device platforms: Windows Phone, Windows, Linux
  3. Conditions > Client apps: Mobile apps and desktop clients, Exchange ActiveSync clients, Other clients
  4. GrantGrant access to Require device to be marked as compliantRequire Microsoft Entra hybrid joined device (Require one of the selected controls)

Results: In this way, I can force clients to be compliant (Intune-managed) or hybrid joined, at least; however, I cannot control access from email clients (consider, for example, a scenario in which end-users have Outlook installed for opening file in MSG or EML format). 

 

TEST 3

The only way I found to achieve the goal was to take action on Exchange Online, by manipulating these properties for each mailbox via PowerShell (Set-CASMailbox) :

  1. MAPIEnabled = false (block Outlook)
  2. UniversalOutlookEnabled = false (block Windows Mail app)
  3. OneWinNativeOutlookEnabled = false (block new Windows Mail app)

It seems even if blocked (2), however I can still configure and access to mailbox via Windows Mail.

I also realized (Welcome Sir !!! 🙂) even if the above properties appear at Plan level (Get-CASMailboxPlan), however it isn't possible to set them (Set-CASMailboxPlan); but it is possible to disable, for example, IMAP and POP (?),

This solution assumes running a PowerShell script for setting these properties on new mailbox creation.

 

Any other suggestion ?

 

 

0 Replies