Conditional Access in Outlook on the web for Exchange Online
Published Oct 04 2018 05:26 PM 133K Views


We live in a world where employees want to use a wide range of devices; this includes corporate owned assets, as well as their personal devices, and public or shared devices.  While we want everyone to be empowered to work productively, we need to ensure we protect corporate data.


The freedom to work fluidly, independent of location, has become an expectation as has the freedom to access email and documents from anywhere on any device—and that experience is expected to be seamless.  However, data loss is non-negotiable, and overexposure to information can have lasting legal and compliance implications. 


Exchange Online and Outlook on the web have been investing to ensure we are able to respond to evolving security challenges.  We start this journey by introducing Conditional access policies for Outlook on the web.  Conditional access provides the control and protection businesses need to keep their corporate data secure, while giving their people an experience that allows them to do their best work from any device. 


Last week at the Microsoft Ignite conference we announced and demoed how to configure conditional access new policies.  These policies will restrict the ability for users to download attachments from email to a local machine when the devices are not compliant.  With the power of the Office Web Apps, users can continue to view and edit these files safely, without leaking data to a personal machine.  If you instead want to block attachments fully (when on a non-compliant device) we also support that!


Steps to Configuring Conditional Access / Limited Access for Outlook on the Web

To configure Outlook on the web Conditional Access follow these steps:

  • Connect to Exchange Online Remote PowerShell Session
  • Create a New OwaMailboxPolicy or Edit your existing one


Set-OwaMailboxPolicy -Identity Default -ConditionalAccessPolicy ReadOnly


  • Configure an Azure Active Directory Conditional Access Policy in the Azure Portal


    Figure 1: In the new policy enable Exchange Online in the App Selection


    Figure 2: Enable App Enforced Restrictions for Session Controls

To learn more about conditional access in Azure Active Directory see this.


Once you have properly configured the Polices in both Exchange Online and in Azure Portal your users that are in non-compliant devices will start getting the Limited Access Experience.


Fig 3.png

Figure 3: Notice that the download, as well as enabling Offline access options have been removed


Fig 4.png

Figure 4: The Office Web Editors will also have a banner informing the user that they have reduced capabilities due to their device compliance state.


We look forward to hearing how this works for your organizations!  We will continue to invest in ensuring that we provide the right level of access to your users so they can stay productive, all while protecting your corporate data.


David Los

Version history
Last update:
‎Oct 04 2018 05:26 PM
Updated by: