Conditional Access in Outlook on the web for Exchange Online

Published Oct 04 2018 05:26 PM 109K Views
Microsoft

 

We live in a world where employees want to use a wide range of devices; this includes corporate owned assets, as well as their personal devices, and public or shared devices.  While we want everyone to be empowered to work productively, we need to ensure we protect corporate data.

 

The freedom to work fluidly, independent of location, has become an expectation as has the freedom to access email and documents from anywhere on any device—and that experience is expected to be seamless.  However, data loss is non-negotiable, and overexposure to information can have lasting legal and compliance implications. 

 

Exchange Online and Outlook on the web have been investing to ensure we are able to respond to evolving security challenges.  We start this journey by introducing Conditional access policies for Outlook on the web.  Conditional access provides the control and protection businesses need to keep their corporate data secure, while giving their people an experience that allows them to do their best work from any device. 

 

Last week at the Microsoft Ignite conference we announced and demoed how to configure conditional access new policies.  These policies will restrict the ability for users to download attachments from email to a local machine when the devices are not compliant.  With the power of the Office Web Apps, users can continue to view and edit these files safely, without leaking data to a personal machine.  If you instead want to block attachments fully (when on a non-compliant device) we also support that!

 

Steps to Configuring Conditional Access / Limited Access for Outlook on the Web

To configure Outlook on the web Conditional Access follow these steps:

  • Connect to Exchange Online Remote PowerShell Session
  • Create a New OwaMailboxPolicy or Edit your existing one

 

Set-OwaMailboxPolicy -Identity Default -ConditionalAccessPolicy ReadOnly

 

  • Configure an Azure Active Directory Conditional Access Policy in the Azure Portal

    AzurePortal1.PNG

    Figure 1: In the new policy enable Exchange Online in the App Selection


    azureportal2.PNG

    Figure 2: Enable App Enforced Restrictions for Session Controls

To learn more about conditional access in Azure Active Directory see this.

 

Once you have properly configured the Polices in both Exchange Online and in Azure Portal your users that are in non-compliant devices will start getting the Limited Access Experience.

 

Fig 3.png

Figure 3: Notice that the download, as well as enabling Offline access options have been removed

 

Fig 4.png

Figure 4: The Office Web Editors will also have a banner informing the user that they have reduced capabilities due to their device compliance state.

 

We look forward to hearing how this works for your organizations!  We will continue to invest in ensuring that we provide the right level of access to your users so they can stay productive, all while protecting your corporate data.

 

David Los

53 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-267069%22%20slang%3D%22en-US%22%3EConditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-267069%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20live%20in%20a%20world%20where%20employees%20want%20to%20use%20a%20wide%20range%20of%20devices%3B%20this%20includes%20corporate%20owned%20assets%2C%20as%20well%20as%20their%20personal%20devices%2C%20and%20public%20or%20shared%20devices.%26nbsp%3B%20While%20we%20want%20everyone%20to%20be%20empowered%20to%20work%20productively%2C%20we%20need%20to%20ensure%20we%20protect%20corporate%20data.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20freedom%20to%20work%20fluidly%2C%20independent%20of%20location%2C%20has%20become%20an%20expectation%20as%20has%20the%20freedom%20to%20access%20email%20and%20documents%20from%20anywhere%20on%20any%20device%E2%80%94and%20that%20experience%20is%20expected%20to%20be%20seamless.%26nbsp%3B%20However%2C%20data%20loss%20is%20non-negotiable%2C%20and%20overexposure%20to%20information%20can%20have%20lasting%20legal%20and%20compliance%20implications.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EExchange%20Online%20and%20Outlook%20on%20the%20web%20have%20been%20investing%20to%20ensure%20we%20are%20able%20to%20respond%20to%20evolving%20security%20challenges.%26nbsp%3B%20We%20start%20this%20journey%20by%20introducing%20Conditional%20access%20policies%20for%20Outlook%20on%20the%20web.%26nbsp%3B%20Conditional%20access%20provides%20the%20control%20and%20protection%20businesses%20need%20to%20keep%20their%20corporate%20data%20secure%2C%20while%20giving%20their%20people%20an%20experience%20that%20allows%20them%20to%20do%20their%20best%20work%20from%20any%20device.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELast%20week%20at%20the%20Microsoft%20Ignite%20conference%20we%20announced%20and%20demoed%20how%20to%20configure%20conditional%20access%20new%20policies.%26nbsp%3B%20These%20policies%20will%20restrict%20the%20ability%20for%20users%20to%20download%20attachments%20from%20email%20to%20a%20local%20machine%20when%20the%20devices%20are%20not%20compliant.%26nbsp%3B%20With%20the%20power%20of%20the%20Office%20Web%20Apps%2C%20users%20can%20continue%20to%20view%20and%20edit%20these%20files%20safely%2C%20without%20leaking%20data%20to%20a%20personal%20machine.%26nbsp%3B%20If%20you%20instead%20want%20to%20block%20attachments%20fully%20(when%20on%20a%20non-compliant%20device)%20we%20also%20support%20that!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESteps%20to%20Configuring%20Conditional%20Access%20%2F%20Limited%20Access%20for%20Outlook%20on%20the%20Web%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ETo%20configure%20Outlook%20on%20the%20web%20Conditional%20Access%20follow%20these%20steps%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fexchange%2Fexchange-online%2Fconnect-to-exchange-online-powershell%2Fconnect-to-exchange-online-powershell%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConnect%3C%2FA%3E%3C%2FSPAN%3E%20to%20Exchange%20Online%20Remote%20PowerShell%20Session%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fclient-access%2Fnew-owamailboxpolicy%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECreate%3C%2FA%3E%3C%2FSPAN%3E%20a%20New%20OwaMailboxPolicy%20or%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fclient-access%2Fset-owamailboxpolicy%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EEdit%3C%2FA%3E%3C%2FSPAN%3E%20your%20existing%20one%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ESet-OwaMailboxPolicy%3C%2FSPAN%3E%3CSPAN%3E%20-Identity%3C%2FSPAN%3E%20Default%3CSPAN%3E%20-%3C%2FSPAN%3E%3CSTRONG%3EConditionalAccessPolicy%3C%2FSTRONG%3E%3CSPAN%3E%20ReadOnly%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3EConfigure%20an%20Azure%20Active%20Directory%20Conditional%20Access%20Policy%20in%20the%20Azure%20Portal%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20870px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F55543i9E7DF6D5B0B54808%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22AzurePortal1.PNG%22%20title%3D%22AzurePortal1.PNG%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3CP%3E%3CEM%3EFigure%201%3A%20In%20the%20new%20policy%20enable%20Exchange%20Online%20in%20the%20App%20Selection%3C%2FEM%3E%3C%2FP%3E%3CEM%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20858px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F55544i986CAF873084B339%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22azureportal2.PNG%22%20title%3D%22azureportal2.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FEM%3E%3CP%3E%3CEM%3EFigure%202%3A%20Enable%20App%20Enforced%20Restrictions%20for%20Session%20Controls%3C%2FEM%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3ETo%20learn%20more%20about%20conditional%20access%20in%20Azure%20Active%20Directory%20see%20%3CU%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-conditional-access%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ethis%3C%2FA%3E%3C%2FU%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20you%20have%20properly%20configured%20the%20Polices%20in%20both%20Exchange%20Online%20and%20in%20Azure%20Portal%20your%20users%20that%20are%20in%20non-compliant%20devices%20will%20start%20getting%20the%20Limited%20Access%20Experience.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F55547iCEF12C3136554A45%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Fig%203.png%22%20title%3D%22Fig%203.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EFigure%203%3A%20Notice%20that%20the%20download%2C%20as%20well%20as%20enabling%20Offline%20access%20options%20have%20been%20removed%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F55549i2FB4CF82D945004E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Fig%204.png%22%20title%3D%22Fig%204.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EFigure%204%3A%20The%20Office%20Web%20Editors%20will%20also%20have%20a%20banner%20informing%20the%20user%20that%20they%20have%20reduced%20capabilities%20due%20to%20their%20device%20compliance%20state.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20look%20forward%20to%20hearing%20how%20this%20works%20for%20your%20organizations!%26nbsp%3B%20We%20will%20continue%20to%20invest%20in%20ensuring%20that%20we%20provide%20the%20right%20level%20of%20access%20to%20your%20users%20so%20they%20can%20stay%20productive%2C%20all%20while%20protecting%20your%20corporate%20data.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDavid%20Los%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-267069%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22TextRun%20SCXW248431844%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW248431844%22%3EExchange%20Online%20and%20Outlook%20on%20the%20web%20have%20been%20investing%20to%20ensure%20we%20are%20able%20to%20respond%20to%20evolving%20security%20challenges.%26nbsp%3B%20We%20start%20this%20journey%20by%20introducing%20Conditional%20access%20policies%20for%20Outlook%20on%20the%20web.%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-418468%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-418468%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CP%3E%3CSPAN%3EIs%20there%20a%20way%20to%20force%20a%20device%20as%20compliant%20based%20on%20criteria%20I%20can%20control%20without%20Intune%20%3F%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%3CSPAN%3EUnfortunately%20Microsoft%20still%20shows%20no%20attitude%20to%20let%20other%20device%20management%20solutions%20than%20Intune%20to%20set%20the%20compliance%20status%20for%20iOS%2C%20Android%20and%20macOS%20devices.%20Only%20Windows%2010%20has%20an%20open%20management%20API%20for%20others.%20A%20very%20sad%20story.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-363431%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-363431%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EWhat%20happens%20to%20users%20without%20Intune%20licenses%20or%20where%20excluded%20from%20%3C%2FSPAN%3EAzure%20Conditional%20Access%20policies%3F%3C%2FP%3E%3CP%3EWill%20users%20need%20to%20have%20compliant%20devices%20regardless%20of%20Conditional%20Access%20%3CSPAN%3Epolicies%20%3C%2FSPAN%3E%26amp%3B%20licenses%20assigned%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-362940%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-362940%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F85312%22%20target%3D%22_blank%22%3E%40David%20Los%3C%2FA%3E%26nbsp%3BWould%20this%20allow%20users%20on%20non-compliant%20devices%20to%20access%20Teams%20in%20a%20limited%20capacity%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-318354%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-318354%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F263525%22%20target%3D%22_blank%22%3E%40JMSIII%3C%2FA%3E%20wrote%3A%20Very%20nice%20extension%20to%20OWA%20policy%20and%20I%20can%20leverage%20AAD%20conditions%20to%20control%20when%20this%20is%20applied.%3C%2FP%3E%0A%3C%2FBLOCKQUOTE%3E%0A%3CP%3EReally%20happy%20to%20hear%20you%20are%20liking%20this%20feature!%26nbsp%3B%20I%20think%20it%20really%20helps%20protect%20data%2C%20while%20still%20enabling%20our%20users%20to%20access%20data%20in%20a%20rich%20experience!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CBLOCKQUOTE%3E%0A%3CP%3EThere%20is%20an%20enterprise%20ask%20to%20limit%20additional%20features%20in%20one%20of%20these%20type%20sessions.%20One%20business%20unit%20wants%20their%20users%20to%20see%20calendar%20only%20for%20instance.%20Due%20to%20data%20loss%20concerns%2C%20our%20security%20team%20would%20also%20like%20to%20disable%20printing%20-%20although%20we%20try%20to%20explain%20that%20you%20can%20copy%20HTML%20content%20from%20a%20browser%20window%20no%20matter%20what%20we%20do.%3C%2FP%3E%0A%3C%2FBLOCKQUOTE%3E%0A%3CP%3E%26nbsp%3BRight%20now%20we%20don't%20have%20anything%20on%20our%20roadmap%20to%20limit%20large%20portions%20of%20the%20app%2C%20such%20as%20restrict%20to%20only%20Calendar%20when%20not%20on%20a%20compliant%20device.%26nbsp%3B%20However%2C%20can%20you%20provide%20a%20bit%20more%20details%20on%20why%20they%20would%20want%20this%3F%26nbsp%3B%20Calendar%20items%20can%20have%20just%20as%20sensitive%20data%20in%20them%20as%20their%20email.%26nbsp%3B%20Plus%20as%20you%20know%20creating%20calendar%20invites%20relies%20on%20mail%20as%20well.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20printing%2C%20even%20if%20the%20Outlook%20on%20the%20Web%20app%20removes%20and%20hides%20all%20of%20the%20printing%20functionality%2C%20this%20would%20not%20be%20able%20to%20disable%20the%20print%20functionality%20that%20is%20right%20in%20the%20browser.%26nbsp%3B%20The%20web%20app%20isn't%20able%20to%20disable%20that%20functionality.%26nbsp%3B%20Does%20just%20hiding%20the%20print%20buttons%20in%20our%20app%20help%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CBLOCKQUOTE%3E%0A%3CP%3EAre%20there%20any%20plans%20to%20extend%20the%20other%20controls%20in%20an%20OWA%20policy%20to%20be%20part%20of%20the%20'Limited%20Experience'%3F%20I%20see%20a%20section%20but%20cannot%20edit%20it%20called%20%22ConditionalAccessFeatures%22.%3C%2FP%3E%0A%3C%2FBLOCKQUOTE%3E%0A%3CP%3E%26nbsp%3BRight%20now%2C%20we%20don't%20have%20anything%20to%20share.%26nbsp%3B%20However%2C%20we%20are%20keeping%20a%20very%20close%20eye%20on%20how%20everyone%20wants%20to%20see%20this%20scenario%20grow.%26nbsp%3B%20So%20offer%20up%20all%20of%20your%20feedback%2C%20we%20are%20for%20sure%20listening!%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-318285%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-318285%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F28489%22%20target%3D%22_blank%22%3E%40Patrick%20F%3C%2FA%3E%20wrote%20-%26nbsp%3B%3CP%3EWill%20the%20read%20only%20feature%20apply%20to%20users%20using%20the%20Outlook%20desktop%20app%3F%3C%2FP%3E%0A%3CP%3EFor%20example%2C%20I%20want%20to%20make%20sure%20users%20don't%20install%20Outlook%20on%20grandma's%20PC%20and%20be%20able%20to%20download%20attachments.%3C%2FP%3E%0A%3C%2FBLOCKQUOTE%3E%0A%3CP%3EYou%20can%20actually%20do%20similar%20Conditional%20Access%20Policies%20for%20the%20office%20apps.%26nbsp%3B%20In%20the%20example%20I%20walked%20through%2C%20we%20restricted%20to%20just%20the%20Web%20apps%20(Outlook%20on%20the%20Web).%26nbsp%3B%20However%2C%20you%20can%20create%20a%20policy%20that%20restricts%20the%20Windows%20apps.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20you%20are%20describing%2C%20you%20might%20actually%20want%20to%20explore%20the%20On%2FOff%20Network%20Policy%20section%20of%20Conditional%20Access.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-313911%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-313911%22%20slang%3D%22en-US%22%3E%3CP%3EWill%20the%20read%20only%20feature%20apply%20to%20users%20using%20the%20Outlook%20desktop%20app%3F%3C%2FP%3E%3CP%3EFor%20example%2C%20I%20want%20to%20make%20sure%20users%20don't%20install%20Outlook%20on%20grandma's%20PC%20and%20be%20able%20to%20download%20attachments.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-313265%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-313265%22%20slang%3D%22en-US%22%3E%3CP%3EVery%20nice%20extension%20to%20OWA%20policy%20and%20I%20can%20leverage%20AAD%20conditions%20to%20control%20when%20this%20is%20applied.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20an%20enterprise%20ask%20to%20limit%20additional%20features%20in%20one%20of%20these%20type%20sessions.%20One%20business%20unit%20wants%20their%20users%20to%20see%20calendar%20only%20for%20instance.%20Due%20to%20data%20loss%20concerns%2C%20our%20security%20team%20would%20also%20like%20to%20disable%20printing%20-%20although%20we%20try%20to%20explain%20that%20you%20can%20copy%20HTML%20content%20from%20a%20browser%20window%20no%20matter%20what%20we%20do.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20there%20any%20plans%20to%20extend%20the%20other%20controls%20in%20an%20OWA%20policy%20to%20be%20part%20of%20the%20'Limited%20Experience'%3F%20I%20see%20a%20section%20but%20cannot%20edit%20it%20called%20%22ConditionalAccessFeatures%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20would%20almost%20be%20great%20if%20I%20could%20apply%20a%20particular%20OWA%20policy%20instead%20of%20just%20Public%2FPrivate%20computer%20distinction.%20Such%20as%2C%20%22user%20normal%20policy%22%20for%20everyday%20access%20and%20%22user%20limited%20experience%20policy%22%20for%20certain%20conditions.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-310360%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-310360%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3BDavid%2C%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20reply.%3C%2FP%3E%3CP%3EThis%20is%20a%20client%20request.%26nbsp%3B%20The%20client%20is%20a%20large%20Law%20firm%20with%20a%20call%20center.%26nbsp%3B%20The%20request%20is%20to%20restrict%20the%20call%20center%20users%20from%20accessing%20Exchange%20Online%20during%20non%20business%20hours%20due%20to%20potential%20sensitive%20information.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-310350%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-310350%22%20slang%3D%22en-US%22%3E%3CP%3ELes%20-%20We%20do%20not%20support%20time%20based%20configuration%20for%20Conditional%20Access.%26nbsp%3B%20Do%20you%20mind%20sharing%20a%20bit%20of%20detail%20on%20why%20this%20would%20be%20something%20you%20would%20like%20to%20see%3F%26nbsp%3B%20How%20would%20you%20use%20it%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks!%3C%2FP%3E%0A%3CP%3EDavid%20Los%3C%2FP%3E%0A%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-310307%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-310307%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20set%20Conditional%20Access%20to%20Exchange%20Online%20based%20on%20time%20of%20day%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-292284%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-292284%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFirst%20feedback%20from%20customers%20is%20that%20the%20option%20is%20great%2C%20but%20the%20message%20is%20not%20always%20very%20clear%20for%20the%20end-user.%3C%2FP%3E%3CP%3ECan%20this%20message%20be%20changed%20or%20can%20this%20option%20be%20added%3F%3C%2FP%3E%3CP%3E%3CEM%3EThe%20user%20that%20they%20have%20reduced%20capabilities%20due%20to%20their%20device%20compliance%20state.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20Thanks%2C%3C%2FP%3E%3CP%3EJurgen%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-274470%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-274470%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20working%20very%20nicely%20thanks%20-%20however%2C%20copy%20paste%20still%20works%20(eg%3A%20from%20an%20Excel%2FPowerpoint%2Femail)%20-%20any%20option%20or%20idea%20to%20disable%2Frestrict%20that%20too%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%2C%3C%2FP%3E%3CP%3ETamas%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-269417%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-269417%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20David%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20Access%20Control%2FGrant%20section%2C%20do%20we%20have%20to%20do%20something%20there%20like%20selecting%26nbsp%3BRequire%20device%20to%20be%20marked%20as%20compliant%20or%20Require%20Hybrid%20Azure%20AD%20joined%20device%3F%20or%20just%20leave%20it%20blank%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-268936%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-268936%22%20slang%3D%22en-US%22%3E%3CP%3ETested%20and%20all%20worked%20fine.%20The%20biggest%20issue%20is%20how%20to%20get%20a%20device%20marked%20as%20compliant.%20We%20don't%20have%20Intune%20but%20we%20do%20have%20AAD%20P1%2FP2.%20Is%20there%20a%20way%20to%20force%20a%20device%20as%20compliant%20based%20on%20criteria%20I%20can%20control%20without%20Intune%20%3F%3F%3C%2FP%3E%3CP%3EWe%20use%20Blackberry%20UEM%2012.9%20(%24%25%23%25%24%40%25%25)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-268617%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-268617%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%40Deleted%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20can%20prevent%20non-compliant%20devices%20from%20downloading%20files%20from%20OneDrive.%20You%20need%20to%20look%20at%20the%20Sharepoint%20Admin%20page%20and%20%22Access%20Control%22.%26nbsp%3B%20Select%20%22Limited%20Web%20Only%20Access%20or%20Block%22%20depending%20on%20what%20you%20want.%20You%20then%20need%20to%20create%20a%20Conditional%20Access%20policy%20for%20Sharepoint%20and%20under%20%22Access%20Control%22%20select%20%22Use%20App%20Enforced%20Restrictions%22.%3CP%20class%3D%221539068236851%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%221539068236851%22%3EIf%20you%20have%20the%20advanced%20version%20of%20%22%3CSPAN%3EMicrosoft%20Cloud%20App%20Security%22%3C%2FSPAN%3E%26nbsp%3B%20you%20can%20do%20the%20same%20thing.%3C%2FP%3E%3CP%20class%3D%221539068115092%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%221539068115092%22%3E%26nbsp%3B%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-268567%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-268567%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Contributor%20lia-component-message-view-widget-author-username%22%3E%3CA%20class%3D%22lia-link-navigation%20lia-page-link%20lia-user-name-link%22%20id%3D%22link_21%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F136096%22%20target%3D%22_self%22%3E%3CSPAN%3EMitul%20Sinha%3C%2FSPAN%3E%3C%2FA%3E%20%3C%2FSPAN%3E-%20Thanks%20for%20trying%20out%20Conditional%20Access%20for%20Outlook%20on%20the%20Web.%26nbsp%3B%20A%20couple%20of%20follow-up%20questions%3C%2FDIV%3E%0A%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E.%26nbsp%3B%20Did%20you%20create%20a%20new%20OWA%20Mailbox%20Policy%20and%20assign%20it%20to%20your%20test%20user%3F%26nbsp%3B%20(Set-CASMailbox)%3F%26nbsp%3B%20Did%20you%20configure%20the%20policy%20also%20in%20the%20azure%20portal%3F%26nbsp%3B%20After%20you%20create%20the%20policies%20in%20both%20places%20it%20will%20take%20a%20couple%20of%20hours%20for%20it%20to%20become%20active.%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-268566%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-268566%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-New-Contributor%20lia-component-message-view-widget-author-username%22%3E%3CA%20class%3D%22lia-link-navigation%20lia-page-link%20lia-user-name-link%22%20id%3D%22link_13%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F110461%22%20target%3D%22_self%22%3E%3CSPAN%3EDavid%20Gorman%3C%2FSPAN%3E%3C%2FA%3E%20%3C%2FSPAN%3E-%20Thank%20you%20for%20interest%20in%20this%20feature!%26nbsp%3B%20At%20this%20time%2C%20we%20don't%20have%20a%20plan%20to%20introduce%20this%20to%20the%20admin%20portal.%26nbsp%3B%20We%20will%20likely%20keep%20management%20of%20the%20OWAMailboxPolicy%20via%20Powershell.%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-268484%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-268484%22%20slang%3D%22en-US%22%3E%3CP%3EVery%20cool%20stuff.%26nbsp%3B%20Does%20this%20require%20%3CSTRONG%3EAD%20FS%3C%2FSTRONG%3E%20similar%20to%20how%20attachment%20handling%20required%20it%20for%20public%2Fprivate%20network%20via%20OwaMailboxPolicy%3F%26nbsp%3B%20In%20other%20words%2C%20for%20clients%20that%20are%20doing%20PTA%20and%20not%20doing%20AD%20FS%2C%20can%20they%20leverage%20this%3F!%3F!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CU%3E%3CSTRONG%3EUPDATE%3C%2FSTRONG%3E%3C%2FU%3E%3A%20AD%20FS%20is%20%3CEM%3E%3CSTRONG%3Enot%3C%2FSTRONG%3E%3C%2FEM%3E%20required.%26nbsp%3B%20This%20is%20quite%20cool.%26nbsp%3B%20What%20is%20not%20entirely%20clearly%20explained%2C%20although%20this%20is%20simple%20enough%20to%20figure%20out%2C%20is%20that%20you%20must%20turn%20this%20paramteer%20on%20for%20policies%20that%20are%20already%20mapped%26nbsp%3Bto%20user%20in%20exchange.%26nbsp%3B%20For%20the%20person%20above%20who%20is%20not%20seeing%20the%20change%2C%20make%20sure%20you%20have%20update%20the%20OWA%20policy%20being%20applied%20to%20the%20user%2C%20and%20then%20make%20sure%20you%20are%20logging%20in%20with%20a%20fresh%20session%20and%20you%20should%20see%20restrictions%20in%20place.%26nbsp%3B%20So%20if%20a%20user%20is%20not%20being%20given%20the%20default%20OWA%20policy%2C%20then%20you%20must%20change%20that%20policy%20to%20be%20conditional%20access%20enabled%20such%20that%20you%20can%20drop%20them%20into%20read%20only%20via%20conditions%20from%20the%20conditional%20access%20rule.%26nbsp%3B%20This%20is%20very%20cool%2C%20and%20yes%20we%20have%20wanted%20this%20for%20a%20long%20time%20-%20bravo%20Microsoft.%26nbsp%3B%20I%20was%20testing%20with%20an%20accoun%20that%20had%20legacy%20OWA%20test%20policies%20and%20I%20had%20not%20updated%20the%20parameter%20(-ConditionalAccessPolicy)%20on%20the%20correct%20policy%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-268227%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-268227%22%20slang%3D%22en-US%22%3E%3CP%3EFirst%20of%20all%2C%20this%20is%20a%20great%20improvement%20-%20thanks!%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20a%20question%3A%20will%20this%20ability%20to%20stop%20users%20accessing%2Fdownloading%20files%20and%20data%20extend%20to%20all%20other%20areas%20of%20Office%20365%3F%20e.g.%20One%20Drive.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20want%20to%20be%20able%20to%20restrict%20users%20from%20logging%20on%20to%20their%20own%20home%20machines%2C%20or%20potentially%20some%20other%20unauthorised%20machines%2C%20and%20then%20accessing%20and%20downloading%20data%20to%20them%20-%20the%20reason%20being%20to%20protect%20our%20data%20by%20only%20allowing%20it%20on%20our%20company%20machines%20which%20we%20have%20full%20control%20over.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-267842%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-267842%22%20slang%3D%22en-US%22%3E%3CP%3EEven%20it%20doesn't%20reflect%20on%20to%20OWA%20of%20the%20user%20which%20I%20applied%20via%20conditional%20access.%20Sharing%20you%20the%20screenshot%20for%20the%20same.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F55690iC4AB2033844D2214%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22offline.jpg%22%20title%3D%22offline.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-267797%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-267797%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F55682i923EE59CC725CBC5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Capture.JPG%22%20title%3D%22Capture.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EI%20have%20done%20this%20command%20worked%20also%20in%20powershell%20but%20it%20didn't%20apply%20to%20my%20users%20which%20i%20assigned%20via%20conditional%20access%20policy.%20Please%20help%20me%20out%20in%20this!!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-267618%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-267618%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20case%20you%20want%20to%20see%20a%20demo.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F85312%22%20target%3D%22_blank%22%3E%40David%20Los%3C%2FA%3E%26nbsp%3Bdid%20a%20great%20session%20at%20Ignite%20last%20week.%3C%2FP%3E%0A%3CP%3E%3C%2FP%3E%3CDIV%20class%3D%22video-embed-center%20video-embed%22%3E%3CIFRAME%20class%3D%22embedly-embed%22%20src%3D%22https%3A%2F%2Fcdn.embedly.com%2Fwidgets%2Fmedia.html%3Fsrc%3Dhttps%253A%252F%252Fwww.youtube.com%252Fembed%252F0ZiAJo3W12A%253Ffeature%253Doembed%26amp%3Burl%3Dhttp%253A%252F%252Fwww.youtube.com%252Fwatch%253Fv%253D0ZiAJo3W12A%26amp%3Bimage%3Dhttps%253A%252F%252Fi.ytimg.com%252Fvi%252F0ZiAJo3W12A%252Fhqdefault.jpg%26amp%3Bkey%3Dfad07bfa4bd747d3bdea27e17b533c0e%26amp%3Btype%3Dtext%252Fhtml%26amp%3Bschema%3Dyoutube%22%20width%3D%22200%22%20height%3D%22112%22%20scrolling%3D%22no%22%20frameborder%3D%220%22%20allow%3D%22autoplay%3B%20fullscreen%22%20allowfullscreen%3D%22true%22%20title%3D%22Video%22%3E%3C%2FIFRAME%3E%3C%2FDIV%3E%3CP%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-267315%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-267315%22%20slang%3D%22en-US%22%3E%3CP%3EYou'll%20definitely%20need%20AAD%20P1%20and%20above%20for%20conditional%20access.%20We%20have%20an%20E3%20licence%20with%20and%20EMS%20subscription.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-267314%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-267314%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20David%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20please%20clarify%20what%20license%20is%20required%20to%20deploy%20this%20feature%3F%20Do%20I%20need%20a%20AAD%20P1%20%2F%20P2%20or%20is%20part%20of%20Office%20E1%20subscription%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%2C%3C%2FP%3E%3CP%3ECatalin%20ROMAN%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-267261%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-267261%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20looks%20great%20thanks!%20Will%20the%20ability%20to%20modify%20the%20OWA%20policy%20extend%20to%20the%20GUI%20in%20Exchange%20Admin%20Centre%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-441391%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-441391%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20a%20great%20video%2C%20but%20I%20don't%20understand%20the%20pro%2Fcons%20best%20practices%20to%20using%20%22App%20enforced%20Restrictions%22%20vs.%20using%20%22MCAS%20Conditional%20Access%20App%20Control%22%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-441718%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-441718%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F220042%22%20target%3D%22_blank%22%3E%40Peter%20Meuser%3C%2FA%3E%26nbsp%3BJAMF%20can%20also%20set%20the%20compliance%20state%20for%20Macs.%26nbsp%3B%20I'm%20not%20sure%20if%20it%20can%20also%20do%20it%20for%20iOS%20or%20not.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F208099%22%20target%3D%22_blank%22%3E%40Jonathan%20Schaumloeffel%3C%2FA%3E%26nbsp%3BMy%20understanding%20is%20that%20App%20enforced%20restrictions%20are%20basically%20a%20light%20version%20of%20MCAS%20Conditional%20Access%20App%20Control%20that%20doesn't%20require%20an%20E5%20level%20license.%26nbsp%3B%20From%20what%20I%20can%20tell%20from%20testing%20with%20app%20enforced%20restrictions%2C%20it%20actually%20uses%20MCAS%2C%20just%20with%20a%20more%20limited%20set%20of%20capabilities.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-480772%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-480772%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20able%20to%20test%20this%20policy%20using%20trusted%20location%20as%20one%20of%20the%20conditions.%20When%20the%20restricted%20Read%20control%20is%20applied%20it%20works%20fine%20for%20Office%20and%20PDF%20files%20(preview%20and%20save%20to%20one%20drive)%2C%20Unfortunately%20it%20totally%20blocks%20image%20files%20(Jpeg%2C%20png%20etc%20and%20txt%20file%20types)%20from%20being%20saved%20to%20one%20drive.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESurely%20it%20should%20let%20your%20save%20other%20file%20types%20to%20Onedrive%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-481358%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-481358%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Hitesh%20-%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CBLOCKQUOTE%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23f8f8f8%3B%20color%3A%20%23333333%3B%20font-family%3A%20'SegoeUI'%2C'Lato'%2C'Helvetica%20Neue'%2CHelvetica%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EI%20was%20able%20to%20test%20this%20policy%20using%20trusted%20location%20as%20one%20of%20the%20conditions.%20When%20the%20restricted%20Read%20control%20is%20applied%20it%20works%20fine%20for%20Office%20and%20PDF%20files%20(preview%20and%20save%20to%20one%20drive)%2C%20Unfortunately%20it%20totally%20blocks%20image%20files%20(Jpeg%2C%20png%20etc%20and%20txt%20file%20types)%20from%20being%20saved%20to%20one%20drive.%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FBLOCKQUOTE%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23f8f8f8%3B%20color%3A%20%23333333%3B%20font-family%3A%20'SegoeUI'%2C'Lato'%2C'Helvetica%20Neue'%2CHelvetica%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EYou%20should%20be%20able%20to%20save%20directly%20to%20OneDrive%20even%20if%20you%20are%20not%20on%20a%20compliant%20machine.%26nbsp%3B%20Are%20you%20using%20the%20new%20Outlook%20on%20the%20Web%20experience%20or%20the%20old%20version%3F%26nbsp%3B%20It%20might%20be%20a%20bug%20that%20we%20can%20investigate.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-564837%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-564837%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F236218%22%20target%3D%22_blank%22%3E%40Gregory%20Gilbert%3C%2FA%3E%26nbsp%3Bso%20it%20is%20using%20the%20MCAS%20Reverse%20Proxy%20for%20%3CSPAN%3EApp%20enforced%20restrictions%3C%2FSPAN%3E%3F%20That%20seems%20contrary%20to%20what%20I%20have%20heard.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1284466%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1284466%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20tested%20%22App%20based%20restrcition%22%20session%20based%20condtional%26nbsp%3B%20access%20to%20block%20user%20to%20download%20Files%20from%20OWA%20on%20unmanaged%20device.%20It%20is%20blocking%20file%20download%20and%20giving%20limited%20acces%20to%20unmanaged%20device%2C%20that's%20fine%20but%20why%20it%20is%20giving%20same%20experience%20on%20Managed%20device%20too%2C%20can%20anyone%20help%20me%20here.%20It%20would%20be%20grt%20help.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1284499%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1284499%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F142463%22%20target%3D%22_blank%22%3E%40Sonam%20Singh%20Chouhan%3C%2FA%3E%26nbsp%3BIt%20is%20for%20global%20not%20for%20managed%20or%20unmanaged%20devices%20because%20you%20will%20create%20policies%20tenant%20wide%20which%20applies%20on%20both%20managed%20and%20unmanaged%20platforms!%20So%20the%20article%20heading%20is%20wrong%20posted%20here!%20Should%20you%20have%20been%20any%20queries%20kindly%20refer%20my%20article%20how%20it%20works%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.linkedin.com%2Fpulse%2Ffull-command-over-outlook-web-now-conditional-access-policies-sinha%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.linkedin.com%2Fpulse%2Ffull-command-over-outlook-web-now-conditional-access-policies-sinha%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1284512%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1284512%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F136096%22%20target%3D%22_blank%22%3E%40Mitul%20Sinha%3C%2FA%3EI%20know%20the%20whole%20process%20but%20it%20should%20not%20block%20Managed%20device.%20If%20anyone%20can%20help%20me%20here.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1284550%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1284550%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F142463%22%20target%3D%22_blank%22%3E%40Sonam%20Singh%20Chouhan%3C%2FA%3E%26nbsp%3BI%20am%20still%20in%20dilemma%20to%20answer%20your%20question%20as%20why%20should%20I%20apply%20this%20policy%20to%20my%20managed%20devices%20which%20are%20already%20secured%20as%20Compliant%20Devices!!%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106235%22%20target%3D%22_blank%22%3E%40Oliver%20Kieselbach%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F85312%22%20target%3D%22_blank%22%3E%40David%20Los%3C%2FA%3E%26nbsp%3BIf%20you%20could%20help%20her%20in%20understanding%20the%20same!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1284564%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1284564%22%20slang%3D%22en-US%22%3E%3CP%3ECA%20and%20OWA%20mailbox%20policy%20%3CSPAN%3Eapplies%20to%20users%2C%3C%2FSPAN%3E%20after%20implementing%20this%20policy%20why%20corporate%20devices%20are%20getting%20limited%20access%2C%20it%20should%20not%20be%20the%20case%2C%20right.%20Have%20you%20tested%20both%20senario.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1284656%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1284656%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F142463%22%20target%3D%22_blank%22%3E%40Sonam%20Singh%20Chouhan%3C%2FA%3E%26nbsp%3BThat's%20really%20a%20conflicting%20point%20here%20as%20per%20the%20article%20being%20mentioned%20here%20but%20let%20me%20grab%20your%20attention%20on%20to%20the%20devices%20part%20as%20we%20are%20not%20applying%20on%20a%20platform%20level%20here%2C%20we%20are%20targeting%20only%20to%20the%20users%20and%20we%20also%20haven't%20performed%20based%20on%20Compliant%20level%20policies%20so%20I'm%20afraid%20to%20tell%20you%20that%20this%20article%20is%20having%20some%20gaps%20as%20it%20is%20explaining%20you%20only%20about%20OWA%20policies%20how%20to%20get%20restricted%20upon%20the%20document%20downloading%20or%20no%20access%20of%20images%20files%20if%20you%20apply%20OWA%20mailbox%20policy%20with%20CA%20app%20enforced%20restrictions%20from%20any%20devices%20BYOD%20or%20Corporate!%20Meanwhile%20I%20am%20about%20to%20get%20the%20results%20from%20my%20tenant%20for%20your%20questions%20will%20answer%20the%20same%20soon!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1290940%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1290940%22%20slang%3D%22en-US%22%3E%3CP%3EWould%20this%20in%20conjunction%20with%20setting%20Enforce%20App%20restrictions%20in%20SharePoint%20to%20%22web%20access%20only%22%20for%20unmanaged%20devices%2C%20prevent%20the%20user%20from%20attaching%20files%20from%20One%20Drive%20and%20SharePoint%3F.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1298275%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1298275%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F307307%22%20target%3D%22_blank%22%3E%40AndyfF360%3C%2FA%3E%26nbsp%3BThat%20you%20can%20set%20up%20from%20SharePoint%20Admin%20Center%20itself%20going%20to%20Access%20control%20option%20and%20also%20you%20need%20to%20setup%20some%20changes%20to%20conditional%20Access%20policies%20if%20you%20are%20looking%20to%20apply%20to%20specific%20users%20but%20this%20will%20be%20applicable%20only%20to%20OneDrive%20and%20SharePoint%20not%20to%20Outlook%20on%20Web%20part!%20For%20Exchange%20online%20limited%20access%20to%20users%20you%20must%20have%20to%20use%20app%20enforced%20only%20option%20from%20Conditional%20Access%20Session%20tab!%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%202020-04-10%20at%2020.02.17.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F183614iE05034181A2F6D50%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Screenshot%202020-04-10%20at%2020.02.17.png%22%20alt%3D%22Sharepoint%20and%20OneDrive%20Limited%20Access%20settings%20from%20Access%20Control%20using%20SharePoint%20Admin%20Center%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3ESharepoint%20and%20OneDrive%20Limited%20Access%20settings%20from%20Access%20Control%20using%20SharePoint%20Admin%20Center%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1310844%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1310844%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20any%20capability%20in%20Exchange%20Online%2C%20Microsoft%20365%20or%20Azure%20to%20limit%20the%20ability%20to%20copy%20content%20from%20Exchange%20Online%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1314696%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1314696%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F623364%22%20target%3D%22_blank%22%3E%40GTH20%3C%2FA%3E%26nbsp%3BHello%20I%20am%20afraid%20to%20inform%20you%20that%20within%20Exchange%20Online%20there%20is%20no%20option%20but%20yes%20for%20restricting%20copy%2Fpaste%2Fcut%20all%20you%20need%20to%20apply%20MAM%20policies%20from%20App%20Protection%20where%20we%20will%20target%20the%20Approved%20Client%20Apps%20-%20Exchange%20Online%20from%20Conditional%20Access%20Policies%20using%20Microsoft%20Intune%20via%20Enterprise%20Mobility%2BSecurity.%20I%20know%20your%20next%20question%20may%20be%20about%20EM%2BS%20(Enterprise%20Mobility%2BSecurity)%20so%20I%20would%20like%20to%20tell%20you%20that%20Microsoft%20365%20is%20having%20several%20plans%20where%20EM%2BS%20is%20a%20part%20of%20it%20like%20M365%20Business%2C%20M365%20Enterprise%20Plans%20and%20M365%20F1%20so%20you%20can%20go%20through%20EM%2BS%20separately%20from%20this%20link%20%3CA%20title%3D%22EM%2BS%22%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-in%2Fmicrosoft-365%2Fenterprise-mobility-security%2Fcompare-plans-and-pricing%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EEnterprise%20Mobility%20%2B%20Security%20Features%3C%2FA%3E%26nbsp%3Bwhich%20will%20give%20you%20Microsoft%20Intune%20as%20a%20workload%20to%20apply%20all%20your%20relevant%20queries%20and%20will%20resolve%20your%20issue!!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1314720%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1314720%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F136096%22%20target%3D%22_blank%22%3E%40Mitul%20Sinha%3C%2FA%3E%26nbsp%3BThanks%20for%20your%20response.%20I%20have%20already%20configured%20and%20deployed%20MAM%20policies%20from%20App%20Protection%20and%20also%20configured%20conditional%20access%20to%20only%20allow%20limited%20experience%20in%20Exchange%20Online%26nbsp%3B%20(no%20downloads%20or%20printing)%2C%20but%20neither%20App%20protection%20nor%20conditional%20access%20policies%20prevents%20copy%2Fpaste%20when%20a%20user%20accesses%20Exchange%20Online%20from%20a%20web%20browser.%20Please%20let%20me%20know%20if%20your%20experience%20is%20different.%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1314728%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1314728%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F623364%22%20target%3D%22_blank%22%3E%40GTH20%3C%2FA%3E%26nbsp%3BCould%20we%20say%20that%20why%20not%20use%20Intune%20Managed%20browser%20rather%20accessing%20Exchange%20online%20from%20third%20party%20browser%20such%20as%20Safari%2C%20Chrome%2C%20Firefox%2C%20Internet%20Explorer%2C%20Edge%20etc..%20I%20will%20allow%20users%20to%20make%20sure%20that%20they%20will%20access%20all%20online%20version%20apps%20from%20an%20Intune%20Managed%20Browser%20and%20block%20these%20third%20party%20browsers%20from%20App%20protection%2FConditional%20Access%20Policies!!%20Let%20me%20know%20if%20this%20helps..%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1314738%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1314738%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F136096%22%20target%3D%22_blank%22%3E%40Mitul%20Sinha%3C%2FA%3E%26nbsp%3BEven%20with%20Microsoft%20Edge%20-%20which%20is%20an%20enlightened%20app%2C%20you%20can%20copy%2Fpaste%20from%20Exchange%20Online%20when%20accessed%20from%20Microsoft%20Edge.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1314747%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1314747%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F623364%22%20target%3D%22_blank%22%3E%40GTH20%3C%2FA%3E%26nbsp%3BI%20knew%20that%20and%20so%20that's%20the%20reason%20said%20you%20about%20using%20Managed%20Intune%20Browser%20where%20we%20can%20look%20for%20data%20transfer%20between%20Policy%20managed%20apps%20only!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1314761%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1314761%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F136096%22%20target%3D%22_blank%22%3E%40Mitul%20Sinha%3C%2FA%3E%26nbsp%3BTo%20clarify%2C%20I%20am%20talking%20about%20accessing%20Exchange%20Online%20from%20a%20Microsoft%20Edge%20browser%20on%20a%20Windows%2010%20computer%20...%20I%20found%20that%20there%20is%20no%20MAM%20app%20protection%20policy%20and%2For%20conditional%20access%20policy%20that%20can%20restrict%20copy%2Fpaste%20from%20the%20Edge%20browser.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1314763%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1314763%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F623364%22%20target%3D%22_blank%22%3E%40GTH20%3C%2FA%3E%26nbsp%3BI%20can%20understand%20it%20is%20not%20there%20we%20need%20to%20check%20with%20Microsoft%20will%20provide%20the%20feedback%20for%20Windows%2010!%20Thank%20you%20for%20the%20concern.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1322850%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1322850%22%20slang%3D%22en-US%22%3E%3CP%3ETwo%20questions%20if%20I%20may%3A%3C%2FP%3E%3COL%3E%3CLI%3ECan%20I%20set%20this%20up%20for%20Browser%20Only%3F%26nbsp%3B%20I%20already%20have%20a%20CA%20policy%20that%20restricts%20Desktop%20and%20Mobile%20apps%20from%20access%20unless%20they%20are%20Hybrid%20Azure%20AD%20Joined%2FCompliant.%3C%2FLI%3E%3CLI%3ECan%20I%20use%20Device%20conditions%20with%20this%20to%20specify%20just%20Windows%20and%20Macs%3F%26nbsp%3B%20I%20don't%20want%20to%20affect%20my%20mobile%20users%20who%20are%20already%20using%20App%20Protection%20(MAM)%20policies%20rather%20than%20enrollment%20so%20are%20technically%20unmanaged%20devices.%26nbsp%3B%20In%20the%20past%20changes%20that%20I%20made%20to%20CA%20policies%20to%20restrict%20access%20for%20unmanaged%20devices%20tried%20to%20force%20the%20mobile%20devices%20to%20enroll%20to%20become%20compliant.%20Didn't%20work%20out%20well.%26nbsp%3B%26nbsp%3B%3C%2FLI%3E%3C%2FOL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1324367%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1324367%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F92409%22%20target%3D%22_blank%22%3E%40Derek%20Pickell%3C%2FA%3E%26nbsp%3B-%20%26nbsp%3BLet%20me%20tell%20you%20one%20thing%20for%20Mobile%20Apps%20and%20Desktop%20Client%20Apps%20(Windows%20OS)%20perspective%20you%20can%20have%20restrictions%20from%20MAM%20policies%20with%20or%20without%20enrolment!%20I%20am%20afraid%20to%20say%20for%20MacOS%20functionality%20from%20App%20Protection%20Policy%20but%20for%20iOS%2C%20iPadOS%2C%20Windows%2C%20Android%20Devices%20MAM%20and%20MDM%20both%20can%20be%20worked%20together%20so%20even%20if%20you%20push%20MDM%20policies%20marking%20device%20as%20compliant%20there's%20no%20issue%20you%20can%20still%20apply%20MAM%20policies%20on%20to%20Enrolled%20Devices%20and%20Unmanaged%20Devices%20to%20have%20restrictions%20of%20Cut%2FCopy%2FPaste%2C%20Printing%20or%20backing%20up%20in%20local%20system.%20For%20Document%20restrictions%2Fattachment%20protection%20downloading%20and%20all%20go%20with%20AIP%20policies%20if%20you%20are%20looking%20to%20protect%20on%20to%20Mobile%20or%20Desktop%20Client%20Apps!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1324688%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1324688%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20misunderstand%2C%20my%20question%20is%20not%20about%20MAM%20at%20all.%26nbsp%3B%20Or%20about%20Mobile%20apps%20and%20Desktop%20clients.%26nbsp%3B%20I%20must%20have%20done%20a%20really%20poor%20job%20communicating%20this%20initially%20for%20you%20to%20get%20it%20so%20backwards.%20I'll%20try%20to%20clarify.%3CBR%20%2F%3EMy%20questions%20were%3A%3CBR%20%2F%3E%22%3CSPAN%3ECan%20I%20use%20Device%20Platforms%20under%20Conditions%20in%20this%20CA%20policy%20to%20specify%20%3CEM%3Ejust%20Windows%20and%20Macs%3C%2FEM%3E%20so%20that%20iOS%20and%20Android%20aren't%20impacted%3F%22%2C%20and%3CBR%20%2F%3E%22Can%20I%20select%20j%3CEM%3Eust%20Browser%3C%2FEM%3E%20in%20the%20Client%20Apps%20part%20of%20Conditions%20so%20that%20I%20am%26nbsp%3B%3CEM%3Enot%3C%2FEM%3E%26nbsp%3Bselecting%20Mobile%20Apps%20and%20Desktop%20clients%3F%22.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1324733%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1324733%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F92409%22%20target%3D%22_blank%22%3E%40Derek%20Pickell%3C%2FA%3E%26nbsp%3BIf%20you%20are%20talking%20about%20the%20above%20article%20OWA%20policy%20for%20restriction%20of%20Downloading%20and%20offline%20access%20then%20it%20is%20applicable%20to%20OWA%20only%20not%20on%20to%20Application%20level%20be%20it%20Desktop%20or%20Mobile%20App!%20And%20if%20you%20try%20to%20achieve%20the%20same%20OWA%20restriction%20policy%20only%20to%20Windows%20and%20MacOS%20then%20yes%20very%20well%20possible%20need%20to%20uncheck%20Android%20and%20iOS%20platforms!!%20And%20it%20is%20not%20even%20required%20to%20choose%20the%20conditions%20tab%20just%20because%20you%20are%20looking%20to%20apply%20policy%20on%20to%20platform%20level%20then%20set%20the%20policy%20only%20for%20Platform%20level.%20From%20Client%20Apps%20perspective%20this%20is%20not%20even%20required%20as%20this%20policy%20works%20only%20for%20the%20Browser%20level%20access%20i.e.%20OWA%20limited%20access!%20Kindly%20go%20through%20this%20article%20given%20above%20else%20you%20can%20check%20my%20article%20as%20well%20in%20LinkedIn%3A%20%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.linkedin.com%2Fpulse%2Ffull-command-over-outlook-web-now-conditional-access-policies-sinha%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.linkedin.com%2Fpulse%2Ffull-command-over-outlook-web-now-conditional-access-policies-sinha%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1325536%22%20slang%3D%22en-US%22%3ERE%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1325536%22%20slang%3D%22en-US%22%3EBonjour%2C%20il%20m'est%20impossible%20d'ajouter%20un%20compte%20mail%20orange%20%C3%A0%20mon%20compte%20Gmail%20dans%20Outlook%20aid%C3%A9%20moi%20s'il%20vous%20plait.%20merci%20d'avance.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1421680%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1421680%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20David%2C%20great%20article%20thanks.%26nbsp%3B%20I%20have%20a%20follow%20up%20question%20regarding%20implementation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20successfully%20configured%20the%20Conditional%20Access%20policy%20for%20Windows%20only%20and%20for%20browser%20only%20and%20it%20works%20as%20designed%20so%20I%20answered%20my%20own%20previous%20question%2C%20however...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20changing%20my%20EXO%26nbsp%3B%3CEM%3EOWAMailboxPolicy%20%3C%2FEM%3Esetting%26nbsp%3Bfor%20%3CEM%3EConditionalAccessPolicy%3A%20to%26nbsp%3B%3CSTRONG%3EReadOnly%3C%2FSTRONG%3E%3C%2FEM%3E%20I%20found%20that%20it%20automatically%20added%20content%20to%20the%20following%20line%3A%26nbsp%3B%3CEM%3EConditionalAccessFeatures%3C%2FEM%3E%26nbsp%3Bas%20shown%20below%2C%20where%20it%20was%20previously%20blank.%26nbsp%3B%20I%20can't%20find%20any%20information%20on%20what%20these%20options%20mean%20and%20if%20there%20is%20any%20way%20to%20edit%20them.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSTRONG%3EConditionalAccessFeatures%3C%2FSTRONG%3E%20%3A%20%7BOffline%2C%20AttachmentDirectFileAccessOnPrivateComputersEnabled%2C%3CBR%20%2F%3EAttachmentDirectFileAccessOnPublicComputersEnabled%2C%3CBR%20%2F%3EAttachmentPrintWithoutDownload%7D%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOf%20particular%20interest%20is%26nbsp%3B%3CSTRONG%3E%3CEM%3EAttachmentPrintWithoutDownload%3C%2FEM%3E.%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3ECan%20I%20disable%20this%26nbsp%3Bso%20that%20users%20cannot%20%3CSTRONG%3EDownload%26nbsp%3B%3C%2FSTRONG%3E%3CSTRONG%3E%3CEM%3Eor%26nbsp%3B%3C%2FEM%3E%3C%2FSTRONG%3E%3CSTRONG%3EPrint%3C%2FSTRONG%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3CSPAN%3Econtent%20from%20a%20non-compliant%20computer%3F%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1888102%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1888102%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F85312%22%20target%3D%22_blank%22%3E%40David%20Los%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F136096%22%20target%3D%22_blank%22%3E%40Mitul%20Sinha%3C%2FA%3E%26nbsp%3B%26nbsp%3B%20%26nbsp%3BRestricting%20downloads%20works%20perfectly!%20Thanks%20for%20this%20post.%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20I%20could%20disable%20Uploading%20attachments%2C%20editing%20(edit%20and%20reply)%20attachments%20in%20OWA%20as%20well%3F%3C%2FP%3E%3CP%3EThank%20you!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2339346%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20in%20Outlook%20on%20the%20web%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2339346%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20David%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20configured%20the%20steps%20as%20you%20mentioned.%20In%20my%20scenario%2C%20I%20have%20created%20a%20custom%20OWAMailbox%20identity%20instead%20of%20the%20default.%20Then%2C%20the%20remaining%20steps%20are%20similar%20according%20to%20your%20blog.%20After%20waiting%20for%202%20hr.%2C%20I%20checked%20in%20end%20client%20on%20the%20non-compliance%20device.%20But%2C%20the%20policy%20is%20not%20reflected.%20I%20can%20see%20the%20download%20option%20there.%20Please%20help.%3CBR%20%2F%3EFor%20your%20information%2C%20My%20ID%20on%20which%20conditional%20access%20policy%20configured%20has%20exchange%20admin%20portal%20rights.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22kvpatel3011_2-1620593222490.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F279382i07329439F16220F7%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22kvpatel3011_2-1620593222490.png%22%20alt%3D%22kvpatel3011_2-1620593222490.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22kvpatel3011_0-1620593063103.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F279379iE7403EDCD0DAAF01%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22kvpatel3011_0-1620593063103.png%22%20alt%3D%22kvpatel3011_0-1620593063103.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22kvpatel3011_1-1620593118529.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F279380iDF5ECAB3747B3833%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22kvpatel3011_1-1620593118529.png%22%20alt%3D%22kvpatel3011_1-1620593118529.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Oct 04 2018 05:26 PM
Updated by: